// For flags

CVE-2022-20752

Cisco Unified Communications Products Timing Attack Vulnerability

Severity Score

5.3
*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

0
*Multiple Sources

Exploited in Wild

-
*KEV

Decision

Attend
*SSVC
Descriptions

A vulnerability in Cisco Unified Communications Manager (Unified CM), Cisco Unified Communications Manager Session Management Edition (Unified CM SME), and Cisco Unity Connection could allow an unauthenticated, remote attacker to perform a timing attack. This vulnerability is due to insufficient protection of a system password. An attacker could exploit this vulnerability by observing the time it takes the system to respond to various queries. A successful exploit could allow the attacker to determine a sensitive system password.

Una vulnerabilidad en Cisco Unified Communications Manager (Unified CM), Cisco Unified Communications Manager Session Management Edition (Unified CM SME) y Cisco Unity Connection podría permitir a un atacante remoto no autenticado llevar a cabo un ataque de sincronización. Esta vulnerabilidad es debido a una insuficiente protección de una contraseña del sistema. Un atacante podría explotar esta vulnerabilidad al observar el tiempo que tarda el sistema en responder a varias consultas. Una explotación con éxito podría permitir al atacante determinar una contraseña confidencial del sistema

*Credits: N/A
CVSS Scores
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
None
Attack Vector
Network
Attack Complexity
Low
Authentication
None
Confidentiality
Partial
Integrity
None
Availability
None
* Common Vulnerability Scoring System
SSVC
  • Decision:Attend
Exploitation
None
Automatable
Yes
Tech. Impact
Partial
* Organization's Worst-case Scenario
Timeline
  • 2021-11-02 CVE Reserved
  • 2022-07-06 CVE Published
  • 2024-01-27 EPSS Updated
  • 2024-11-01 CVE Updated
  • ---------- Exploited in Wild
  • ---------- KEV Due Date
  • ---------- First Exploit
CWE
  • CWE-203: Observable Discrepancy
  • CWE-208: Observable Timing Discrepancy
CAPEC
Affected Vendors, Products, and Versions
Vendor Product Version Other Status
Vendor Product Version Other Status <-- --> Vendor Product Version Other Status
Cisco
Search vendor "Cisco"
Unified Communications Manager
Search vendor "Cisco" for product "Unified Communications Manager"
>= 12.5\(1\) < 12.5\(1\)su6
Search vendor "Cisco" for product "Unified Communications Manager" and version " >= 12.5\(1\) < 12.5\(1\)su6"
-
Affected
Cisco
Search vendor "Cisco"
Unified Communications Manager
Search vendor "Cisco" for product "Unified Communications Manager"
>= 12.5\(1\) < 12.5\(1\)su6
Search vendor "Cisco" for product "Unified Communications Manager" and version " >= 12.5\(1\) < 12.5\(1\)su6"
session_management
Affected
Cisco
Search vendor "Cisco"
Unified Communications Manager
Search vendor "Cisco" for product "Unified Communications Manager"
>= 14.0 < 14su1
Search vendor "Cisco" for product "Unified Communications Manager" and version " >= 14.0 < 14su1"
-
Affected
Cisco
Search vendor "Cisco"
Unified Communications Manager
Search vendor "Cisco" for product "Unified Communications Manager"
>= 14.0 < 14su1
Search vendor "Cisco" for product "Unified Communications Manager" and version " >= 14.0 < 14su1"
session_management
Affected
Cisco
Search vendor "Cisco"
Unity Connection
Search vendor "Cisco" for product "Unity Connection"
>= 12.5\(1\) < 12.5\(1\)su6
Search vendor "Cisco" for product "Unity Connection" and version " >= 12.5\(1\) < 12.5\(1\)su6"
-
Affected
Cisco
Search vendor "Cisco"
Unity Connection
Search vendor "Cisco" for product "Unity Connection"
>= 14.0 < 14su1
Search vendor "Cisco" for product "Unity Connection" and version " >= 14.0 < 14su1"
-
Affected