Vulnerability CVE-2022-20862

Vulnerability Name:

CVE-2022-20862 (CCN-230554)

Assigned:

2021-11-02

Published:

2022-07-06

Updated:

2022-07-14

Summary:

A vulnerability in the web-based management interface of Cisco Unified Communications Manager (Unified CM) and Cisco Unified Communications Manager Session Management Edition (Unified CM SME) could allow an authenticated, remote attacker to read arbitrary files on the underlying operating system of an affected device. This vulnerability is due to improper validation of user-supplied input. An attacker could exploit this vulnerability by sending a crafted HTTP request that contains directory traversal character sequences to an affected system. A successful exploit could allow the attacker to access sensitive files on the operating system.

CVSS v3 Severity:

4.3 Medium (CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N)
3.8 Low (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C)

Exploitability Metrics:	Attack Vector (AV): Network Attack Complexity (AC): Low Privileges Required (PR): Low User Interaction (UI): None
Scope:	Scope (S): Unchanged
Impact Metrics:	Confidentiality (C): Low Integrity (I): None Availibility (A): None

4.3 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N)
3.8 Low (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C)

Exploitability Metrics:	Attack Vector (AV): Network Attack Complexity (AC): Low Privileges Required (PR): Low User Interaction (UI): None
Scope:	Scope (S): Unchanged
Impact Metrics:	Confidentiality (C): Low Integrity (I): None Availibility (A): None

CVSS v2 Severity:

4.0 Medium (CVSS v2 Vector: AV:N/AC:L/Au:S/C:P/I:N/A:N)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Low Authentication (Au): Single_Instance
Impact Metrics:	Confidentiality (C): Partial Integrity (I): None Availibility (A): None

4.0 Medium (CCN CVSS v2 Vector: AV:N/AC:L/Au:S/C:P/I:N/A:N)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Low Athentication (Au): Single_Instance
Impact Metrics:	Confidentiality (C): Partial Integrity (I): None Availibility (A): None

Vulnerability Type:

CWE-22

Vulnerability Consequences:

Obtain Information

References:

Source: MITRE
Type: CNA
CVE-2022-20862

Source: XF
Type: UNKNOWN
cisco-cve202220862-dir-traversal(230554)

Source: CCN
Type: Cisco Security Advisory cisco-sa-ucm-file-read-qgjhEc3A
Cisco Unified Communications Manager Arbitrary File Read Vulnerability

Source: CISCO
Type: Vendor Advisory
20220706 Cisco Unified Communications Manager Arbitrary File Read Vulnerability

Vulnerable Configuration:

Configuration 1:

cpe:/a:cisco:unified_communications_manager:*:*:*:*:-:*:*:* (Version < 12.5(1)su6)

OR cpe:/a:cisco:unified_communications_manager:*:*:*:*:session_management:*:*:* (Version < 12.5(1)su6)

OR cpe:/a:cisco:unified_communications_manager:*:*:*:*:session_management:*:*:* (Version >= 14.0 and < 14su2)

OR cpe:/a:cisco:unified_communications_manager:*:*:*:*:*:*:*:* (Version >= 14.0 and < 14su2)

Configuration CCN 1:

cpe:/a:cisco:unified_communications_manager:-:*:*:*:*:*:*:*

Denotes that component is vulnerable

BACK