ID

VAR-202211-1056


CVE

CVE-2022-20964


TITLE

Cisco Identity Services Engine  In  OS  Command injection vulnerability

Trust: 0.8

sources: JVNDB: JVNDB-2022-006005

DESCRIPTION

A vulnerability in the web-based management interface of Cisco Identity Services Engine could allow an authenticated, remote attacker to inject arbitrary commands on the underlying operating system. This vulnerability is due to improper validation of user input within requests as part of the web-based management interface. An attacker could exploit this vulnerability by manipulating requests to the web-based management interface to contain operating system commands. A successful exploit could allow the attacker to execute arbitrary operating system commands on the underlying operating system with the privileges of the web services user. Cisco has not yet released software updates that address this vulnerability. (DoS) It may be in a state. For more information about these vulnerabilities, see the Details section of this advisory. There are no workarounds that address these vulnerabilities. This advisory is available at the following link:tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ise-7Q4TNYUx

Trust: 1.8

sources: NVD: CVE-2022-20964 // JVNDB: JVNDB-2022-006005 // VULHUB: VHN-405517 // VULMON: CVE-2022-20964

AFFECTED PRODUCTS

vendor:ciscomodel:identity services enginescope:ltversion:2.6.0

Trust: 1.0

vendor:ciscomodel:identity services enginescope:eqversion:3.2

Trust: 1.0

vendor:ciscomodel:identity services enginescope:eqversion:3.0.0

Trust: 1.0

vendor:ciscomodel:identity services enginescope:eqversion:2.7.0

Trust: 1.0

vendor:ciscomodel:identity services enginescope:eqversion:2.6.0

Trust: 1.0

vendor:ciscomodel:identity services enginescope:eqversion:3.1

Trust: 1.0

vendor:シスコシステムズmodel:cisco identity services enginescope:eqversion: -

Trust: 0.8

vendor:シスコシステムズmodel:cisco identity services enginescope: - version: -

Trust: 0.8

sources: JVNDB: JVNDB-2022-006005 // NVD: CVE-2022-20964

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2022-20964
value: HIGH

Trust: 1.0

ykramarz@cisco.com: CVE-2022-20964
value: MEDIUM

Trust: 1.0

NVD: CVE-2022-20964
value: HIGH

Trust: 0.8

CNNVD: CNNVD-202211-2967
value: HIGH

Trust: 0.6

nvd@nist.gov: CVE-2022-20964
baseSeverity: HIGH
baseScore: 8.8
vectorString: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: LOW
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 2.8
impactScore: 5.9
version: 3.1

Trust: 1.0

ykramarz@cisco.com: CVE-2022-20964
baseSeverity: MEDIUM
baseScore: 6.3
vectorString: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: LOW
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: LOW
integrityImpact: LOW
availabilityImpact: LOW
exploitabilityScore: 2.8
impactScore: 3.4
version: 3.1

Trust: 1.0

NVD: CVE-2022-20964
baseSeverity: HIGH
baseScore: 8.8
vectorString: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: LOW
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: NONE
impactScore: NONE
version: 3.0

Trust: 0.8

sources: JVNDB: JVNDB-2022-006005 // CNNVD: CNNVD-202211-2967 // NVD: CVE-2022-20964 // NVD: CVE-2022-20964

PROBLEMTYPE DATA

problemtype:CWE-78

Trust: 1.1

problemtype:OS Command injection (CWE-78) [NVD evaluation ]

Trust: 0.8

sources: VULHUB: VHN-405517 // JVNDB: JVNDB-2022-006005 // NVD: CVE-2022-20964

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202211-2967

TYPE

operating system commend injection

Trust: 0.6

sources: CNNVD: CNNVD-202211-2967

PATCH

title:cisco-sa-ise-7Q4TNYUxurl:https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ise-7Q4TNYUx

Trust: 0.8

title:Cisco Identity Services Engine Fixes for operating system command injection vulnerabilitiesurl:http://123.124.177.30/web/xxk/bdxqById.tag?id=222194

Trust: 0.6

title:Cisco: Cisco Identity Services Engine Vulnerabilitiesurl:https://vulmon.com/vendoradvisory?qidtp=cisco_security_advisories_and_alerts_ciscoproducts&qid=cisco-sa-ise-7Q4TNYUx

Trust: 0.1

sources: VULMON: CVE-2022-20964 // JVNDB: JVNDB-2022-006005 // CNNVD: CNNVD-202211-2967

EXTERNAL IDS

db:NVDid:CVE-2022-20964

Trust: 3.4

db:JVNDBid:JVNDB-2022-006005

Trust: 0.8

db:AUSCERTid:ESB-2022.5984.4

Trust: 0.6

db:AUSCERTid:ESB-2022.5984.2

Trust: 0.6

db:CNNVDid:CNNVD-202211-2967

Trust: 0.6

db:VULHUBid:VHN-405517

Trust: 0.1

db:VULMONid:CVE-2022-20964

Trust: 0.1

sources: VULHUB: VHN-405517 // VULMON: CVE-2022-20964 // JVNDB: JVNDB-2022-006005 // CNNVD: CNNVD-202211-2967 // NVD: CVE-2022-20964

REFERENCES

url:https://sec.cloudapps.cisco.com/security/center/content/ciscosecurityadvisory/cisco-sa-ise-7q4tnyux

Trust: 1.7

url:https://nvd.nist.gov/vuln/detail/cve-2022-20964

Trust: 0.8

url:https://tools.cisco.com/security/center/content/ciscosecurityadvisory/cisco-sa-ise-7q4tnyux

Trust: 0.7

url:https://www.auscert.org.au/bulletins/esb-2022.5984.2

Trust: 0.6

url:https://cxsecurity.com/cveshow/cve-2022-20964/

Trust: 0.6

url:https://www.auscert.org.au/bulletins/esb-2022.5984.4

Trust: 0.6

sources: VULHUB: VHN-405517 // VULMON: CVE-2022-20964 // JVNDB: JVNDB-2022-006005 // CNNVD: CNNVD-202211-2967 // NVD: CVE-2022-20964

SOURCES

db:VULHUBid:VHN-405517
db:VULMONid:CVE-2022-20964
db:JVNDBid:JVNDB-2022-006005
db:CNNVDid:CNNVD-202211-2967
db:NVDid:CVE-2022-20964

LAST UPDATE DATE

2024-08-14T13:21:31.029000+00:00


SOURCES UPDATE DATE

db:VULHUBid:VHN-405517date:2023-01-26T00:00:00
db:JVNDBid:JVNDB-2022-006005date:2023-06-23T08:21:00
db:CNNVDid:CNNVD-202211-2967date:2023-01-28T00:00:00
db:NVDid:CVE-2022-20964date:2024-01-25T17:15:22.990

SOURCES RELEASE DATE

db:VULHUBid:VHN-405517date:2023-01-20T00:00:00
db:JVNDBid:JVNDB-2022-006005date:2023-06-23T00:00:00
db:CNNVDid:CNNVD-202211-2967date:2022-11-16T00:00:00
db:NVDid:CVE-2022-20964date:2023-01-20T07:15:10.743