CVE-2022-20850

Published: Sep 30, 2022Modified: Nov 21, 2024

7.1

Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H

Exploitability: 1.8 / Impact: 5.2

Source: NVD

Description

A vulnerability in the CLI of stand-alone Cisco IOS XE SD-WAN Software and Cisco SD-WAN Software could allow an authenticated, local attacker to delete arbitrary files from the file system of an affected device. This vulnerability is due to insufficient input validation. An attacker could exploit this vulnerability by injecting arbitrary file path information when using commands in the CLI of an affected device. A successful exploit could allow the attacker to delete arbitrary files from the file system of the affected device.

Affected (5)

Products: Cisco: Ios Xe Sd Wan, Sd Wan Vbond Orchestrator, Sd Wan Vmanage, Sd Wan Vsmart Controller, Sd Wan

Cisco

5 products

Ios Xe Sd Wan

Sd Wan Vbond Orchestrator

Sd Wan Vmanage

Sd Wan Vsmart Controller

Sd Wan

Configuration A

4 vulnerable

Vulnerable Software	Affected Versions
Cisco Ios Xe Sd Wan	Before 16.10.1
Cisco Sd Wan Vbond Orchestrator	Before 18.4.5
Cisco Sd Wan Vmanage	Before 18.4.5
Cisco Sd Wan Vsmart Controller	Before 18.4.5

Configuration B

1 vulnerable · 9 platform

Vulnerable Software	Affected Versions
Cisco Sd Wan	Before 18.4.5

Running on/with	Platform Versions
Cisco 1100 4g Integrated Services Router	All versions
Cisco 1100 6g Integrated Services Router	All versions
Cisco 1100 Integrated Services Router	All versions
Cisco Vedge 100	All versions
Cisco Vedge 1000	All versions
Cisco Vedge 100b	All versions
Cisco Vedge 100m	All versions
Cisco Vedge 2000	All versions
Cisco Vedge 5000	All versions

Related CWEs

CWE-20

Improper Input Validation

The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.

CWE-22

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.

References (2)

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-arb-file-delete-VB2rVcQv

Source: psirt@cisco.com

Vendor Advisory

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-arb-file-delete-VB2rVcQv

Source: af854a3a-2127-422b-91ae-364da2661108

Vendor Advisory

Timeline

No history available yet.