Details of VAR-202211-0386

ID

VAR-202211-0386

CVE

CVE-2022-20962

TITLE

Cisco Systems Cisco Identity Services Engine (ISE) Past traversal vulnerability in

Trust: 0.8

sources: JVNDB: JVNDB-2022-022839

DESCRIPTION

A vulnerability in the Localdisk Management feature of Cisco Identity Services Engine (ISE) could allow an authenticated, remote attacker to make unauthorized changes to the file system of an affected device. This vulnerability is due to insufficient input validation. An attacker could exploit this vulnerability by sending a crafted HTTP request with absolute path sequences. A successful exploit could allow the attacker to upload malicious files to arbitrary locations within the file system. Using this method, it is possible to access the underlying operating system and execute commands with system privileges. (DoS) It may be in a state

Trust: 1.71

sources: NVD: CVE-2022-20962 // JVNDB: JVNDB-2022-022839 // VULHUB: VHN-405515

AFFECTED PRODUCTS

vendor:	cisco	model:	identity services engine	scope:	eq	version:	3.1	Trust: 1.0
vendor:	シスコシステムズ	model:	cisco identity services engine	scope:	eq	version:	3.1	Trust: 0.8
vendor:	シスコシステムズ	model:	cisco identity services engine	scope:	eq	version:	-	Trust: 0.8

sources: JVNDB: JVNDB-2022-022839 // NVD: CVE-2022-20962

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2022-20962
value:	HIGH
Trust: 1.0
ykramarz@cisco.com:	CVE-2022-20962
value:	LOW
Trust: 1.0
NVD:	CVE-2022-20962
value:	HIGH
Trust: 0.8
CNNVD:	CNNVD-202211-2097
value:	HIGH
Trust: 0.6

nvd@nist.gov:	CVE-2022-20962
baseSeverity:	HIGH
baseScore:	8.8
vectorString:	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	LOW
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	2.8
impactScore:	5.9
version:	3.1
Trust: 1.0
ykramarz@cisco.com:	CVE-2022-20962
baseSeverity:	LOW
baseScore:	3.8
vectorString:	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	HIGH
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	LOW
integrityImpact:	LOW
availabilityImpact:	NONE
exploitabilityScore:	1.2
impactScore:	2.5
version:	3.1
Trust: 1.0
NVD:	CVE-2022-20962
baseSeverity:	HIGH
baseScore:	8.8
vectorString:	CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	LOW
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8

sources: JVNDB: JVNDB-2022-022839 // CNNVD: CNNVD-202211-2097 // NVD: CVE-2022-20962 // NVD: CVE-2022-20962

PROBLEMTYPE DATA

problemtype:	CWE-37	Trust: 1.0
problemtype:	CWE-22	Trust: 1.0
problemtype:	Path traversal (CWE-22) [NVD evaluation ]	Trust: 0.8
problemtype:	CWE-20	Trust: 0.1

sources: VULHUB: VHN-405515 // JVNDB: JVNDB-2022-022839 // NVD: CVE-2022-20962

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202211-2097

TYPE

input validation error

Trust: 0.6

sources: CNNVD: CNNVD-202211-2097

PATCH

title:	cisco-sa-ise-path-trav-f6M7cs6r	url:	https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ise-path-trav-f6M7cs6r	Trust: 0.8
title:	Cisco Identity Services Engine Enter the fix for the verification error vulnerability	url:	http://123.124.177.30/web/xxk/bdxqById.tag?id=213485	Trust: 0.6

sources: JVNDB: JVNDB-2022-022839 // CNNVD: CNNVD-202211-2097

EXTERNAL IDS

db:	NVD	id:	CVE-2022-20962	Trust: 3.3
db:	JVNDB	id:	JVNDB-2022-022839	Trust: 0.8
db:	CNNVD	id:	CNNVD-202211-2097	Trust: 0.6
db:	VULHUB	id:	VHN-405515	Trust: 0.1

sources: VULHUB: VHN-405515 // JVNDB: JVNDB-2022-022839 // CNNVD: CNNVD-202211-2097 // NVD: CVE-2022-20962

REFERENCES

url:	https://sec.cloudapps.cisco.com/security/center/content/ciscosecurityadvisory/cisco-sa-ise-path-trav-f6m7cs6r	Trust: 1.0
url:	https://nvd.nist.gov/vuln/detail/cve-2022-20962	Trust: 0.8
url:	https://tools.cisco.com/security/center/content/ciscosecurityadvisory/cisco-sa-ise-path-trav-f6m7cs6r	Trust: 0.7
url:	https://cxsecurity.com/cveshow/cve-2022-20962/	Trust: 0.6

sources: VULHUB: VHN-405515 // JVNDB: JVNDB-2022-022839 // CNNVD: CNNVD-202211-2097 // NVD: CVE-2022-20962

SOURCES

db:	VULHUB	id:	VHN-405515
db:	JVNDB	id:	JVNDB-2022-022839
db:	CNNVD	id:	CNNVD-202211-2097
db:	NVD	id:	CVE-2022-20962

LAST UPDATE DATE

2024-08-14T14:37:11.371000+00:00

SOURCES UPDATE DATE

db:	VULHUB	id:	VHN-405515	date:	2022-11-08T00:00:00
db:	JVNDB	id:	JVNDB-2022-022839	date:	2023-11-21T01:54:00
db:	CNNVD	id:	CNNVD-202211-2097	date:	2022-11-09T00:00:00
db:	NVD	id:	CVE-2022-20962	date:	2024-01-25T17:15:22.763

SOURCES RELEASE DATE

db:	VULHUB	id:	VHN-405515	date:	2022-11-04T00:00:00
db:	JVNDB	id:	JVNDB-2022-022839	date:	2023-11-21T00:00:00
db:	CNNVD	id:	CNNVD-202211-2097	date:	2022-11-04T00:00:00
db:	NVD	id:	CVE-2022-20962	date:	2022-11-04T18:15:11.460