Vulnerability Details : CVE-2022-20956
A vulnerability in the web-based management interface of Cisco Identity Services Engine (ISE) could allow an authenticated, remote attacker to bypass authorization and access system files.
This vulnerability is due to improper access control in the web-based management interface of an affected device. An attacker could exploit this vulnerability by sending a crafted HTTP request to the affected device. A successful exploit could allow the attacker to list, download, and delete certain files that they should not have access to.
Cisco plans to release software updates that address this vulnerability.
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ise-access-contol-EeufSUCx ["https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ise-access-contol-EeufSUCx"]
Products affected by CVE-2022-20956
- cpe:2.3:a:cisco:identity_services_engine:3.1:-:*:*:*:*:*:*
- cpe:2.3:a:cisco:identity_services_engine:3.1:patch1:*:*:*:*:*:*
- cpe:2.3:a:cisco:identity_services_engine:3.1:patch3:*:*:*:*:*:*
- cpe:2.3:a:cisco:identity_services_engine:3.2:-:*:*:*:*:*:*
- cpe:2.3:a:cisco:identity_services_engine:3.1:patch4:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2022-20956
0.17%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 55 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2022-20956
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
8.8
|
HIGH | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
2.8
|
5.9
|
NIST | |
7.1
|
HIGH | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N |
2.8
|
4.2
|
Cisco Systems, Inc. |
CWE ids for CVE-2022-20956
-
The product does not conform to the API requirements for a function call that requires extra privileges. This could allow attackers to gain privileges by causing the function to be called incorrectly.Assigned by: ykramarz@cisco.com (Secondary)
References for CVE-2022-20956
-
https://yoroi.company/en/research/cve-advisory-full-disclosure-cisco-ise-broken-access-control/
CVE Advisory - Full Disclosure Cisco ISE Broken Access Control - Yoroi
-
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ise-access-contol-EeufSUCx
Cisco Identity Services Engine Insufficient Access Control Vulnerability
-
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ise-access-contol-EeufSUCx
Cisco Identity Services Engine Insufficient Access Control VulnerabilityVendor Advisory
Jump to