CVE-2022-20816

Published: Aug 10, 2022Modified: Nov 21, 2024

8.1

Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H

Exploitability: 2.8 / Impact: 5.2

Source: NVD

Description

A vulnerability in the web-based management interface of Cisco Unified Communications Manager (Unified CM) and Cisco Unified Communications Manager Session Management Edition (Unified CM SME) could allow an authenticated, remote attacker to delete arbitrary files from an affected system. This vulnerability exists because the affected software does not properly validate HTTP requests. An attacker could exploit this vulnerability by sending a crafted HTTP request to the affected software. A successful exploit could allow the attacker to delete arbitrary files from the affected system.

Affected (2)

Products: Cisco: Unified Communications Manager

1 product

Unified Communications Manager

Configuration A

2 vulnerable

Vulnerable Software	Affected Versions
Cisco Unified Communications Manager	From 11.5\(1\) to 14su2
Cisco Unified Communications Manager	From 11.5\(1\) to 14su2

Related CWEs

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.

References (2)

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-cucm-file-delete-N2VPmOnE

Source: psirt@cisco.com

Vendor Advisory

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-cucm-file-delete-N2VPmOnE

Source: af854a3a-2127-422b-91ae-364da2661108

Vendor Advisory

Timeline

No history available yet.