CVE-2022-20956

Published Nov 4, 2022

Last updated 10 months ago

CVSS high 8.8

Overview

Description: A vulnerability in the web-based management interface of Cisco Identity Services Engine (ISE) could allow an authenticated, remote attacker to bypass authorization and access system files. This vulnerability is due to improper access control in the web-based management interface of an affected device. An attacker could exploit this vulnerability by sending a crafted HTTP request to the affected device. A successful exploit could allow the attacker to list, download, and delete certain files that they should not have access to. Cisco plans to release software updates that address this vulnerability. https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ise-access-contol-EeufSUCx ["https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ise-access-contol-EeufSUCx"]
Source: ykramarz@cisco.com
NVD status: Modified

Risk scores

CVSS 3.1

Type: Primary
Base score: 8.8
Impact score: 5.9
Exploitability score: 2.8
Vector string: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Severity: HIGH

Weaknesses

nvd@nist.gov: NVD-CWE-Other
ykramarz@cisco.com: CWE-648

Hype score: Not currently trending

Configurations

[
  {
    "nodes": [
      {
        "negate": false,
        "cpeMatch": [
          {
            "criteria": "cpe:2.3:a:cisco:identity_services_engine:3.1:-:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "C4DB9726-532F-45CE-81FD-45F2F6C7CE51"
          },
          {
            "criteria": "cpe:2.3:a:cisco:identity_services_engine:3.1:patch1:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "2E8F0066-0EC0-41FD-80BE-55C4ED5F6B0E"
          },
          {
            "criteria": "cpe:2.3:a:cisco:identity_services_engine:3.1:patch3:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "5D1765DB-1BEF-4CE9-8B86-B91F709600EB"
          },
          {
            "criteria": "cpe:2.3:a:cisco:identity_services_engine:3.1:patch4:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "3D1E80EF-C3FD-4F7A-B63D-0EAA5C878B11"
          },
          {
            "criteria": "cpe:2.3:a:cisco:identity_services_engine:3.2:-:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "36722B6C-64A5-4D00-94E1-442878C37A35"
          }
        ],
        "operator": "OR"
      }
    ]
  }
]

Overview

Risk scores

CVSS 3.1

Weaknesses

Social media

Configurations

References