CVE-2022-20732

Cisco Virtualized Infrastructure Manager Privilege Escalation Vulnerability

Severity Score

7.8

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

A vulnerability in the configuration file protections of Cisco Virtualized Infrastructure Manager (VIM) could allow an authenticated, local attacker to access confidential information and elevate privileges on an affected device. This vulnerability is due to improper access permissions for certain configuration files. An attacker with low-privileged credentials could exploit this vulnerability by accessing an affected device and reading the affected configuration files. A successful exploit could allow the attacker to obtain internal database credentials, which the attacker could use to view and modify the contents of the database. The attacker could use this access to the database to elevate privileges on the affected device.

Una vulnerabilidad en las protecciones de los archivos de configuración de Cisco Virtualized Infrastructure Manager (VIM) podría permitir a un atacante local autenticado acceder a información confidencial y elevar privilegios en un dispositivo afectado. Esta vulnerabilidad es debido a permisos de acceso inapropiados para determinados archivos de configuración. Un atacante con credenciales poco privilegiadas podría aprovechar esta vulnerabilidad al acceder a un dispositivo afectado y leyendo los archivos de configuración afectados. Una explotación con éxito podría permitir al atacante obtener credenciales internas de la base de datos, que el atacante podría usar para visualizar y modificar el contenido de la base de datos. El atacante podría usar este acceso a la base de datos para elevar privilegios en el dispositivo afectado

*Credits: N/A

Attack Vector

Local

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Attack Vector

Local

Attack Complexity

Low

Authentication

None

Confidentiality

Partial

Integrity

Partial

Availability

Partial

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2021-11-02 CVE Reserved
2022-04-21 CVE Published
2023-03-08 EPSS Updated
2024-09-17 CVE Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-276: Incorrect Default Permissions
CWE-284: Improper Access Control

CAPEC

References (1)

URL	Tag	Source

URL	Date	SRC

URL	Date	SRC

URL	Date	SRC
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-vim-privesc-T2tsFUf	2023-11-07

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Cisco Search vendor "Cisco"		Virtualized Infrastructure Manager Search vendor "Cisco" for product "Virtualized Infrastructure Manager"				< 4.2.2 Search vendor "Cisco" for product "Virtualized Infrastructure Manager" and version " < 4.2.2"		-		Affected