CVE-2022-20695

EPSS 0.21%
Veröffentlicht 15.04.2022 15:15:12
Zuletzt bearbeitet 21.11.2024 06:43:20
Quelle psirt@cisco.com
Teams Watchlist Login
Unerledigt Login

A vulnerability in the authentication functionality of Cisco Wireless LAN Controller (WLC) Software could allow an unauthenticated, remote attacker to bypass authentication controls and log in to the device through the management interface This vulnerability is due to the improper implementation of the password validation algorithm. An attacker could exploit this vulnerability by logging in to an affected device with crafted credentials. A successful exploit could allow the attacker to bypass authentication and log in to the device as an administrator. The attacker could obtain privileges that are the same level as an administrative user but it depends on the crafted credentials. Note: This vulnerability exists because of a non-default device configuration that must be present for it to be exploitable. For details about the vulnerable configuration, see the Vulnerable Products section of this advisory.

Betroffene Produkte Warnungen 0 Metriken 4 CWE 2 Referenzen 4

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Cisco ≫ Wireless Lan Controller 8.10.151.0

   Cisco ≫ Virtual Wireless Controller Version-
   Cisco ≫ 3504 Wireless Controller Version-
   Cisco ≫ 5520 Wireless Controller Version-
   Cisco ≫ 8540 Wireless Controller Version-
   Cisco ≫ Aironet 1540 Version-
   Cisco ≫ Aironet 1542d Version-
   Cisco ≫ Aironet 1542i Version-
   Cisco ≫ Aironet 1560 Version-
   Cisco ≫ Aironet 1562d Version-
   Cisco ≫ Aironet 1562e Version-
   Cisco ≫ Aironet 1562i Version-
   Cisco ≫ Aironet 1815 Version-
   Cisco ≫ Aironet 1815i Version-
   Cisco ≫ Aironet 1815m Version-
   Cisco ≫ Aironet 1815t Version-
   Cisco ≫ Aironet 1815w Version-
   Cisco ≫ Aironet 1830 Version-
   Cisco ≫ Aironet 1830e Version-
   Cisco ≫ Aironet 1830i Version-
   Cisco ≫ Aironet 1832 Version-
   Cisco ≫ Aironet 1850 Version-
   Cisco ≫ Aironet 1850e Version-
   Cisco ≫ Aironet 1850i Version-
   Cisco ≫ Aironet 1852 Version-
   Cisco ≫ Aironet 2800 Version-
   Cisco ≫ Aironet 2800e Version-
   Cisco ≫ Aironet 2800i Version-
   Cisco ≫ Aironet 3800 Version-
   Cisco ≫ Aironet 3800e Version-
   Cisco ≫ Aironet 3800i Version-
   Cisco ≫ Aironet 3800p Version-
   Cisco ≫ Aironet 4800 Version-

Cisco ≫ Wireless Lan Controller 8.10.162.0

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.21%	0.439

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	10	3.9	6	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
nvd@nist.gov	9.3	8.6	10	AV:N/AC:M/Au:N/C:C/I:C/A:C
psirt@cisco.com	10	3.9	6	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

CWE-287 Improper Authentication

When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.

CWE-303 Incorrect Implementation of Authentication Algorithm

The requirements for the product dictate the use of an established authentication algorithm, but the implementation of the algorithm is incorrect.

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-wlc-auth-bypass-JRNhV4fF

Vendor Advisory

https://nvd.nist.gov/vuln/detail/CVE-2022-20695

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2022-20695

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2022-20695

EUVD