// For flags

CVE-2022-20956

 

Severity Score

8.8
*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

0
*Multiple Sources

Exploited in Wild

-
*KEV

Decision

-
*SSVC
Descriptions

A vulnerability in the web-based management interface of Cisco Identity Services Engine (ISE) could allow an authenticated, remote attacker to bypass authorization and access system files.
This vulnerability is due to improper access control in the web-based management interface of an affected device. An attacker could exploit this vulnerability by sending a crafted HTTP request to the affected device. A successful exploit could allow the attacker to list, download, and delete certain files that they should not have access to.
Cisco plans to release software updates that address this vulnerability.
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ise-access-contol-EeufSUCx ["https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ise-access-contol-EeufSUCx"]

Una vulnerabilidad en la interfaz de administración basada en web de Cisco Identity Services Engine (ISE) podría permitir que un atacante remoto autenticado haga una omisión sobre la autorización y acceda a los archivos del sistema. Esta vulnerabilidad se debe a un control de acceso inadecuado en la interfaz de administración basada en web de un dispositivo afectado. Un atacante podría aprovechar esta vulnerabilidad enviando una solicitud HTTP manipulada al dispositivo afectado. Un exploit exitoso podría permitir al atacante enumerar, descargar y eliminar ciertos archivos a los que no debería tener acceso. Cisco planea lanzar actualizaciones de software que aborden esta vulnerabilidad.
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ise-access-contol-EeufSUCx

*Credits: N/A
CVSS Scores
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
Low
Availability
None
* Common Vulnerability Scoring System
SSVC
  • Decision:-
Exploitation
-
Automatable
-
Tech. Impact
-
* Organization's Worst-case Scenario
Timeline
  • 2021-11-02 CVE Reserved
  • 2022-11-03 CVE Published
  • 2024-08-03 CVE Updated
  • 2024-10-18 EPSS Updated
  • ---------- Exploited in Wild
  • ---------- KEV Due Date
  • ---------- First Exploit
CWE
  • CWE-648: Incorrect Use of Privileged APIs
CAPEC
Affected Vendors, Products, and Versions
Vendor Product Version Other Status
Vendor Product Version Other Status <-- --> Vendor Product Version Other Status
Cisco
Search vendor "Cisco"
 Identity Services Engine
Search vendor "Cisco" for product "Identity Services Engine"
 3.1
Search vendor "Cisco" for product "Identity Services Engine" and version "3.1"
-
Affected
Cisco
Search vendor "Cisco"
 Identity Services Engine
Search vendor "Cisco" for product "Identity Services Engine"
 3.1
Search vendor "Cisco" for product "Identity Services Engine" and version "3.1"
patch1
Affected
Cisco
Search vendor "Cisco"
 Identity Services Engine
Search vendor "Cisco" for product "Identity Services Engine"
 3.1
Search vendor "Cisco" for product "Identity Services Engine" and version "3.1"
patch3
Affected
Cisco
Search vendor "Cisco"
 Identity Services Engine
Search vendor "Cisco" for product "Identity Services Engine"
 3.1
Search vendor "Cisco" for product "Identity Services Engine" and version "3.1"
patch4
Affected
Cisco
Search vendor "Cisco"
 Identity Services Engine
Search vendor "Cisco" for product "Identity Services Engine"
 3.2
Search vendor "Cisco" for product "Identity Services Engine" and version "3.2"
-
Affected