Sign-up

ID

VAR-202211-1056


CVE

CVE-2022-20964


TITLE

Cisco Identity Services Engine  In  OS  Command injection vulnerability

Trust: 0.8

sources: JVNDB: JVNDB-2022-006005

DESCRIPTION

A vulnerability in the web-based management interface of Cisco Identity Services Engine could allow an authenticated, remote attacker to inject arbitrary commands on the underlying operating system. This vulnerability is due to improper validation of user input within requests as part of the web-based management interface. An attacker could exploit this vulnerability by manipulating requests to the web-based management interface to contain operating system commands. A successful exploit could allow the attacker to execute arbitrary operating system commands on the underlying operating system with the privileges of the web services user. Cisco has not yet released software updates that address this vulnerability. (DoS) It may be in a state. For more information about these vulnerabilities, see the Details section of this advisory. There are no workarounds that address these vulnerabilities. This advisory is available at the following link:tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ise-7Q4TNYUx

Trust: 1.8

sources: NVD: CVE-2022-20964 // JVNDB: JVNDB-2022-006005 // VULHUB: VHN-405517 // VULMON: CVE-2022-20964

AFFECTED PRODUCTS

vendor:ciscomodel:identity services enginescope:eqversion:2.7.0

Trust: 1.0

vendor:ciscomodel:identity services enginescope:ltversion:2.6.0

Trust: 1.0

vendor:ciscomodel:identity services enginescope:eqversion:3.1

Trust: 1.0

vendor:ciscomodel:identity services enginescope:eqversion:2.6.0

Trust: 1.0

vendor:ciscomodel:identity services enginescope:eqversion:3.2

Trust: 1.0

vendor:ciscomodel:identity services enginescope:eqversion:3.0.0

Trust: 1.0

vendor:シスコシステムズmodel:cisco identity services enginescope:eqversion: -

Trust: 0.8

vendor:シスコシステムズmodel:cisco identity services enginescope: - version: -

Trust: 0.8

sources: JVNDB: JVNDB-2022-006005 // NVD: CVE-2022-20964

CVSS

SEVERITY

CVSSV2

CVSSV3

NVD: CVE-2022-20964
value: HIGH

Trust: 1.8

ykramarz@cisco.com: CVE-2022-20964
value: MEDIUM

Trust: 1.0

CNNVD: CNNVD-202211-2967
value: HIGH

Trust: 0.6

NVD:
baseSeverity: HIGH
baseScore: 8.8
vectorString: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: LOW
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 2.8
impactScore: 5.9
version: 3.1

Trust: 1.0

ykramarz@cisco.com:
baseSeverity: MEDIUM
baseScore: 6.3
vectorString: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: LOW
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: LOW
integrityImpact: LOW
availabilityImpact: LOW
exploitabilityScore: 2.8
impactScore: 3.4
version: 3.1

Trust: 1.0

NVD: CVE-2022-20964
baseSeverity: HIGH
baseScore: 8.8
vectorString: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: LOW
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: NONE
impactScore: NONE
version: 3.0

Trust: 0.8

sources: JVNDB: JVNDB-2022-006005 // CNNVD: CNNVD-202211-2967 // NVD: CVE-2022-20964 // NVD: CVE-2022-20964

PROBLEMTYPE DATA

problemtype:CWE-78

Trust: 1.1

problemtype:OS Command injection (CWE-78) [NVD evaluation ]

Trust: 0.8

sources: VULHUB: VHN-405517 // JVNDB: JVNDB-2022-006005 // NVD: CVE-2022-20964

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202211-2967

TYPE

operating system commend injection

Trust: 0.6

sources: CNNVD: CNNVD-202211-2967

CONFIGURATIONS

sources:
            
            
            NVD: CVE-2022-20964

PATCH
title:cisco-sa-ise-7Q4TNYUxurl:https://sec.cloudapps.cisco.com/security/center/content/ciscosecurityadvisory/cisco-sa-ise-7q4tnyux
Trust: 0.8
title:Cisco Identity Services Engine Fixes for operating system command injection vulnerabilitiesurl:http://123.124.177.30/web/xxk/bdxqbyid.tag?id=222194
Trust: 0.6
title:Cisco: Cisco Identity Services Engine Vulnerabilitiesurl:https://vulmon.com/vendoradvisory?qidtp=cisco_security_advisories_and_alerts_ciscoproducts&qid=cisco-sa-ise-7q4tnyux
Trust: 0.1
sources:
            
            
            VULMON: CVE-2022-20964 // 
            
            
            
            JVNDB: JVNDB-2022-006005 // 
            
            
            
            CNNVD: CNNVD-202211-2967

EXTERNAL IDS
db:NVDid:CVE-2022-20964
Trust: 3.4
db:JVNDBid:JVNDB-2022-006005
Trust: 0.8
db:AUSCERTid:ESB-2022.5984.4
Trust: 0.6
db:AUSCERTid:ESB-2022.5984.2
Trust: 0.6
db:CNNVDid:CNNVD-202211-2967
Trust: 0.6
db:VULHUBid:VHN-405517
Trust: 0.1
db:VULMONid:CVE-2022-20964
Trust: 0.1
sources:
            
            
            VULHUB: VHN-405517 // 
            
            
            
            VULMON: CVE-2022-20964 // 
            
            
            
            JVNDB: JVNDB-2022-006005 // 
            
            
            
            CNNVD: CNNVD-202211-2967 // 
            
            
            
            NVD: CVE-2022-20964

REFERENCES
url:https://sec.cloudapps.cisco.com/security/center/content/ciscosecurityadvisory/cisco-sa-ise-7q4tnyux
Trust: 1.7
url:https://nvd.nist.gov/vuln/detail/cve-2022-20964
Trust: 0.8
url:https://tools.cisco.com/security/center/content/ciscosecurityadvisory/cisco-sa-ise-7q4tnyux
Trust: 0.7
url:https://www.auscert.org.au/bulletins/esb-2022.5984.2
Trust: 0.6
url:https://cxsecurity.com/cveshow/cve-2022-20964/
Trust: 0.6
url:https://www.auscert.org.au/bulletins/esb-2022.5984.4
Trust: 0.6
sources:
            
            
            VULHUB: VHN-405517 // 
            
            
            
            VULMON: CVE-2022-20964 // 
            
            
            
            JVNDB: JVNDB-2022-006005 // 
            
            
            
            CNNVD: CNNVD-202211-2967 // 
            
            
            
            NVD: CVE-2022-20964

SOURCES
db:VULHUBid:VHN-405517
db:VULMONid:CVE-2022-20964
db:JVNDBid:JVNDB-2022-006005
db:CNNVDid:CNNVD-202211-2967
db:NVDid:CVE-2022-20964

LAST UPDATE DATE
2024-01-29T19:24:47.585000+00:00

SOURCES UPDATE DATE
db:VULHUBid:VHN-405517date:2023-01-26T00:00:00
db:JVNDBid:JVNDB-2022-006005date:2023-06-23T08:21:00
db:CNNVDid:CNNVD-202211-2967date:2023-01-28T00:00:00
db:NVDid:CVE-2022-20964date:2024-01-25T17:15:22.990

SOURCES RELEASE DATE
db:VULHUBid:VHN-405517date:2023-01-20T00:00:00
db:JVNDBid:JVNDB-2022-006005date:2023-06-23T00:00:00
db:CNNVDid:CNNVD-202211-2967date:2022-11-16T00:00:00
db:NVDid:CVE-2022-20964date:2023-01-20T07:15:10.743