CVE-2022-20732 : A vulnerability in the configuration file protections of Cisco Virtualized Infrastructure Manager (VIM) could allow an a

A vulnerability in the configuration file protections of Cisco Virtualized Infrastructure Manager (VIM) could allow an authenticated, local attacker to access confidential information and elevate privileges on an affected device. This vulnerability is due to improper access permissions for certain configuration files. An attacker with low-privileged credentials could exploit this vulnerability by accessing an affected device and reading the affected configuration files. A successful exploit could allow the attacker to obtain internal database credentials, which the attacker could use to view and modify the contents of the database. The attacker could use this access to the database to elevate privileges on the affected device.

Published 2022-04-21 19:15:08

Updated 2022-05-03 15:29:56

Source Cisco Systems, Inc.

View at NVD, CVE.org

Vulnerability category: BypassGain privilege

Exploit prediction scoring system (EPSS) score for CVE-2022-20732

Probability of exploitation activity in the next 30 days: 0.04%

Percentile, the proportion of vulnerabilities that are scored at or less: ~ 6 % EPSS Score History EPSS FAQ

CVSS scores for CVE-2022-20732

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source
4.6	MEDIUM	AV:L/AC:L/Au:N/C:P/I:P/A:P	3.9	6.4	NIST
Access Vector: Local Access Complexity: Low Authentication: None Confidentiality Impact: Partial Integrity Impact: Partial Availability Impact: Partial
7.8	HIGH	CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H	1.8	5.9	Cisco Systems, Inc.
Attack Vector: Local Attack Complexity: Low Privileges Required: Low User Interaction: None Scope: Unchanged Confidentiality: High Integrity: High Availability: High
7.8	HIGH	CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H	1.8	5.9	NIST
Attack Vector: Local Attack Complexity: Low Privileges Required: Low User Interaction: None Scope: Unchanged Confidentiality: High Integrity: High Availability: High

CWE ids for CVE-2022-20732

CWE-276 Incorrect Default Permissions

During installation, installed file permissions are set to allow anyone to modify those files.

Assigned by: nvd@nist.gov (Primary)
CWE-284 Improper Access Control

The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.

Assigned by: ykramarz@cisco.com (Secondary)

References for CVE-2022-20732

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-vim-privesc-T2tsFUf

Cisco Virtualized Infrastructure Manager Privilege Escalation Vulnerability
Vendor Advisory

Products affected by CVE-2022-20732

Cisco » Virtualized Infrastructure Manager
Versions before (<) 4.2.2
cpe:2.3:a:cisco:virtualized_infrastructure_manager:*:*:*:*:*:*:*:*
Matching versions

Vulnerability Details : CVE-2022-20732

Exploit prediction scoring system (EPSS) score for CVE-2022-20732

CVSS scores for CVE-2022-20732

CWE ids for CVE-2022-20732

References for CVE-2022-20732

Products affected by CVE-2022-20732