Vulnerability Details : CVE-2022-20929
A vulnerability in the upgrade signature verification of Cisco Enterprise NFV Infrastructure Software (NFVIS) could allow an unauthenticated, local attacker to provide an unauthentic upgrade file for upload.
This vulnerability is due to insufficient cryptographic signature verification of upgrade files. An attacker could exploit this vulnerability by providing an administrator with an unauthentic upgrade file. A successful exploit could allow the attacker to fully compromise the Cisco NFVIS system.
Products affected by CVE-2022-20929
- Cisco » Enterprise Nfv Infrastructure SoftwareVersions from including (>=) 3.5.1 and before (<) 4.9.1cpe:2.3:a:cisco:enterprise_nfv_infrastructure_software:*:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2022-20929
0.06%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 26 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2022-20929
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
7.8
|
HIGH | CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H |
1.8
|
5.9
|
NIST | |
7.8
|
HIGH | CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H |
1.8
|
5.9
|
Cisco Systems, Inc. |
CWE ids for CVE-2022-20929
-
The product does not validate, or incorrectly validates, a certificate.Assigned by: nvd@nist.gov (Primary)
-
The product does not verify, or incorrectly verifies, the cryptographic signature for data.Assigned by:
- nvd@nist.gov (Primary)
- ykramarz@cisco.com (Secondary)
References for CVE-2022-20929
-
https://github.com/orangecertcc/security-research/security/advisories/GHSA-4f6q-86ww-gmcr
Cisco ENCS - Improper Verification of Cryptographic Signature in NFVIS (CVE-2022-20929) · Advisory · orangecertcc/security-research · GitHub
-
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-NFVIS-ISV-BQrvEv2h
Cisco Enterprise NFV Infrastructure Software Improper Signature Verification VulnerabilityVendor Advisory
Jump to