CVE-2022-20791 — Vulnetix

CVE-2022-20791 PUBLISHED CVSS 6.5 MEDIUM

A vulnerability in the database user privileges of Cisco Unified Communications Manager (Unified CM), Cisco Unified Communications Manager Session Management Edition (Unified CM SME), and Cisco Unified Communications Manager IM & Presence Service (Unified CM IM&P) could allow an authenticated, remote attacker to read arbitrary files on the underlying operating system of an affected device. This vulnerability is due to insufficient file permission restrictions. An attacker could exploit this vulnerability by sending a crafted command from the API to the application. A successful exploit could allow the attacker to read arbitrary files on the underlying operating system of the affected device. The attacker would need valid user credentials to exploit this vulnerability.

EPSS 0.51% · 66.9th percentile

Risk Scores

CVSS 3.1

6.5

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

EPSS Score

0.51%

66.9th percentile

Affected Products

Vendor	Product	Versions
Cisco	Cisco Unified Communications Manager	n/a
cisco	unified_communications_manager	0, 14.0, 12.5
cisco	unified_communications_manager_im_and_presence_service	14.0, 0

Exploit Intelligence

20220706 Cisco Unified Communications Products Arbitrary File Read Vulnerability (circl)

Timeline

Jul 6, 2022 CVE Published
Jul 7, 2022 EPSS Score
Aug 24, 2022 EPSS Score
Oct 11, 2022 EPSS Score
Nov 27, 2022 EPSS Score
Jan 13, 2023 EPSS Score
Mar 2, 2023 EPSS Score
Mar 7, 2023 EPSS Score
Apr 18, 2023 EPSS Score
Jun 4, 2023 EPSS Score
Jul 21, 2023 EPSS Score
Sep 7, 2023 EPSS Score

References

20220706 Cisco Unified Communications Products Arbitrary File Read Vulnerability vendor-advisory
https://nvd.nist.gov/vuln/detail/CVE-2022-20791 advisory

Open in Interactive Console →