nvd-json-data-feeds/CVE-2022/CVE-2022-208xx/CVE-2022-20859.json

{
  "id": "CVE-2022-20859",
  "sourceIdentifier": "ykramarz@cisco.com",
  "published": "2022-07-06T21:15:11.797",
  "lastModified": "2022-07-14T17:05:12.880",
  "vulnStatus": "Analyzed",
  "descriptions": [
    {
      "lang": "en",
      "value": "A vulnerability in the Disaster Recovery framework of Cisco Unified Communications Manager (Unified CM), Cisco Unified Communications Manager IM & Presence Service (Unified CM IM&P), and Cisco Unity Connection could allow an authenticated, remote attacker to perform certain administrative actions they should not be able to. This vulnerability is due to insufficient access control checks on the affected device. An attacker with read-only privileges could exploit this vulnerability by executing a specific vulnerable command on an affected device. A successful exploit could allow the attacker to perform a set of administrative actions they should not be able to."
    },
    {
      "lang": "es",
      "value": "Una vulnerabilidad en el marco de Recuperaci\u00f3n de Desastres de Cisco Unified Communications Manager (Unified CM), Cisco Unified Communications Manager IM & Presence Service (Unified CM IM&P), y Cisco Unity Connection podr\u00eda permitir a un atacante autenticado y remoto llevar a cabo determinadas acciones administrativas que no deber\u00edan poder. Esta vulnerabilidad es debido a una comprobaci\u00f3n de control de acceso insuficiente en el dispositivo afectado. Un atacante con privilegios de s\u00f3lo lectura podr\u00eda explotar esta vulnerabilidad al ejecutar un comando vulnerable espec\u00edfico en un dispositivo afectado. Una explotaci\u00f3n con \u00e9xito podr\u00eda permitir al atacante llevar a cabo una serie de acciones administrativas que no deber\u00eda poder realizar"
    }
  ],
  "metrics": {
    "cvssMetricV31": [
      {
        "source": "nvd@nist.gov",
        "type": "Primary",
        "cvssData": {
          "version": "3.1",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
          "attackVector": "NETWORK",
          "attackComplexity": "LOW",
          "privilegesRequired": "LOW",
          "userInteraction": "NONE",
          "scope": "UNCHANGED",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "availabilityImpact": "HIGH",
          "baseScore": 8.8,
          "baseSeverity": "HIGH"
        },
        "exploitabilityScore": 2.8,
        "impactScore": 5.9
      }
    ],
    "cvssMetricV30": [
      {
        "source": "ykramarz@cisco.com",
        "type": "Secondary",
        "cvssData": {
          "version": "3.0",
          "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N",
          "attackVector": "NETWORK",
          "attackComplexity": "LOW",
          "privilegesRequired": "LOW",
          "userInteraction": "NONE",
          "scope": "UNCHANGED",
          "confidentialityImpact": "NONE",
          "integrityImpact": "HIGH",
          "availabilityImpact": "NONE",
          "baseScore": 6.5,
          "baseSeverity": "MEDIUM"
        },
        "exploitabilityScore": 2.8,
        "impactScore": 3.6
      }
    ],
    "cvssMetricV2": [
      {
        "source": "nvd@nist.gov",
        "type": "Primary",
        "cvssData": {
          "version": "2.0",
          "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C",
          "accessVector": "NETWORK",
          "accessComplexity": "LOW",
          "authentication": "SINGLE",
          "confidentialityImpact": "COMPLETE",
          "integrityImpact": "COMPLETE",
          "availabilityImpact": "COMPLETE",
          "baseScore": 9.0
        },
        "baseSeverity": "HIGH",
        "exploitabilityScore": 8.0,
        "impactScore": 10.0,
        "acInsufInfo": false,
        "obtainAllPrivilege": false,
        "obtainUserPrivilege": false,
        "obtainOtherPrivilege": false,
        "userInteractionRequired": false
      }
    ]
  },
  "weaknesses": [
    {
      "source": "nvd@nist.gov",
      "type": "Primary",
      "description": [
        {
          "lang": "en",
          "value": "CWE-863"
        }
      ]
    },
    {
      "source": "ykramarz@cisco.com",
      "type": "Secondary",
      "description": [
        {
          "lang": "en",
          "value": "CWE-284"
        }
      ]
    }
  ],
  "configurations": [
    {
      "nodes": [
        {
          "operator": "OR",
          "negate": false,
          "cpeMatch": [
            {
              "vulnerable": true,
              "criteria": "cpe:2.3:a:cisco:unified_communications_manager:*:*:*:*:*:*:*:*",
              "versionStartIncluding": "14.0",
              "versionEndExcluding": "14su2",
              "matchCriteriaId": "90259C71-D12C-4E4D-99B1-94CB7273608C"
            },
            {
              "vulnerable": true,
              "criteria": "cpe:2.3:a:cisco:unified_communications_manager_im_and_presence_service:*:*:*:*:*:*:*:*",
              "versionStartIncluding": "14.0",
              "versionEndExcluding": "14.0su2",
              "matchCriteriaId": "2BC1ED14-2795-48C1-94A6-24BB2272277F"
            },
            {
              "vulnerable": true,
              "criteria": "cpe:2.3:a:cisco:unity_connection:*:*:*:*:*:*:*:*",
              "versionStartIncluding": "14.0",
              "versionEndExcluding": "14su2",
              "matchCriteriaId": "D713E0A3-D63C-42E6-804C-865801407787"
            }
          ]
        }
      ]
    }
  ],
  "references": [
    {
      "url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ucm-access-dMKvV2DY",
      "source": "ykramarz@cisco.com",
      "tags": [
        "Vendor Advisory"
      ]
    }
  ]
}