CVE-2022-20783 : A vulnerability in the packet processing functionality of Cisco TelePresence Collaboration Endpoint (CE) Software and Ci

A vulnerability in the packet processing functionality of Cisco TelePresence Collaboration Endpoint (CE) Software and Cisco RoomOS Software could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on an affected device. This vulnerability is due to insufficient input validation. An attacker could exploit this vulnerability by sending crafted H.323 traffic to an affected device. A successful exploit could allow the attacker to cause the affected device to either reboot normally or reboot into maintenance mode, which could result in a DoS condition on the device.

Published 2022-04-21 19:15:08

Updated 2022-05-04 18:42:06

Source Cisco Systems, Inc.

View at NVD, CVE.org

Vulnerability category: Input validationDenial of service

Exploit prediction scoring system (EPSS) score for CVE-2022-20783

Probability of exploitation activity in the next 30 days: 0.14%

Percentile, the proportion of vulnerabilities that are scored at or less: ~ 49 % EPSS Score History EPSS FAQ

CVSS scores for CVE-2022-20783

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source
7.8	HIGH	AV:N/AC:L/Au:N/C:N/I:N/A:C	10.0	6.9	NIST
Access Vector: Network Access Complexity: Low Authentication: None Confidentiality Impact: None Integrity Impact: None Availability Impact: Complete
7.5	HIGH	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H	3.9	3.6	Cisco Systems, Inc.
Attack Vector: Network Attack Complexity: Low Privileges Required: None User Interaction: None Scope: Unchanged Confidentiality: None Integrity: None Availability: High
7.5	HIGH	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H	3.9	3.6	NIST
Attack Vector: Network Attack Complexity: Low Privileges Required: None User Interaction: None Scope: Unchanged Confidentiality: None Integrity: None Availability: High

CWE ids for CVE-2022-20783

CWE-20 Improper Input Validation

The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.

Assigned by: nvd@nist.gov (Primary)
CWE-1287 Improper Validation of Specified Type of Input

The product receives input that is expected to be of a certain type, but it does not validate or incorrectly validates that the input is actually of the expected type.

Assigned by: ykramarz@cisco.com (Secondary)

References for CVE-2022-20783

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ce-roomos-dos-c65x2Qf2

Cisco TelePresence Collaboration Endpoint and RoomOS Software H.323 Denial of Service Vulnerability
Vendor Advisory

Products affected by CVE-2022-20783

Cisco » Roomos
Versions before (<) 2022
cpe:2.3:o:cisco:roomos:*:*:*:*:*:*:*:*
Matching versions
Cisco » Telepresence Collaboration Endpoint
Versions before (<) 9.15.10.8
cpe:2.3:a:cisco:telepresence_collaboration_endpoint:*:*:*:*:*:*:*:*
Matching versions
Cisco » Telepresence Collaboration Endpoint
Versions from including (>=) 10.0.0.0 and before (<) 10.11.2.2
cpe:2.3:a:cisco:telepresence_collaboration_endpoint:*:*:*:*:*:*:*:*
Matching versions

Vulnerability Details : CVE-2022-20783

Exploit prediction scoring system (EPSS) score for CVE-2022-20783

CVSS scores for CVE-2022-20783

CWE ids for CVE-2022-20783

References for CVE-2022-20783

Products affected by CVE-2022-20783