CVE-2022-20789

A vulnerability in the software upgrade process of Cisco Unified Communications Manager (Unified CM) and Cisco Unified Communications Manager Session Management Edition (Unified CM SME) could allow an authenticated, remote attacker to write arbitrary files on the affected system. This vulnerability is due to improper restrictions applied to a system script. An attacker could exploit this vulnerability by using crafted variables during the execution of a system upgrade. A successful exploit could allow the attacker to overwrite or append arbitrary data to system files using root-level privileges.

CVSS v3 6.5 MEDIUM
CVSS v2.0 8.5 HIGH

6.5^/10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 1.2 / Impact : 5.2

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required HIGH

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

8.5^/10

CVSS v2.0 : HIGH

V2 Legend

Vector : AV:N/AC:L/Au:S/C:N/I:C/A:C

Exploitability : 8.0 / Impact : 9.2

Access Vector NETWORK

Access Complexity LOW

Authentication SINGLE

Confidentiality Impact NONE

Integrity Impact COMPLETE

Availability Impact COMPLETE

References

Link	Resource
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-cucm-arb-write-74QzruUU	Vendor Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:cisco:unified_communications_manager:12.5\(1\)::::-:::
	cpe:2.3:a:cisco:unified_communications_manager:12.5\(1\)::::session_management:::
	cpe:2.3:a:cisco:unified_communications_manager:14.0::::-:::
	cpe:2.3:a:cisco:unified_communications_manager:14.0::::session_management:::

History

03 May 2022, 16:56

Type	Values Removed	Values Added
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : 8.5 v3 : 6.5
CWE		CWE-610
First Time		Cisco Cisco unified Communications Manager
References	~~(CISCO) https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-cucm-arb-write-74QzruUU -~~	(CISCO) https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-cucm-arb-write-74QzruUU - Vendor Advisory
CPE		cpe:2.3:a:cisco:unified_communications_manager:14.0::::session_management::: cpe:2.3:a:cisco:unified_communications_manager:14.0::::-::: cpe:2.3:a:cisco:unified_communications_manager:12.5\(1\)::::session_management::: cpe:2.3:a:cisco:unified_communications_manager:12.5\(1\)::::-:::

21 Apr 2022, 19:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2022-04-21 19:15

Updated : 2023-12-10 14:22

NVD link : CVE-2022-20789

Mitre link : CVE-2022-20789

CVE.ORG link : CVE-2022-20789

JSON object : View

Products Affected

cisco

unified_communications_manager

CWE

CWE-610

Externally Controlled Reference to a Resource in Another Sphere

CWE-73

External Control of File Name or Path

6.5 /10

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required HIGH

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

8.5 /10

Access Vector NETWORK

Access Complexity LOW

Authentication SINGLE

Confidentiality Impact NONE

Integrity Impact COMPLETE

Availability Impact COMPLETE

JSON object

Attach tags to CVE-2022-20789

6.5^/10

8.5^/10

Attach tags to `CVE-2022-20789`