CVE-2022-20729

EPSS 0.15%
Veröffentlicht 03.05.2022 04:15:09
Zuletzt bearbeitet 21.11.2024 06:43:25
Quelle psirt@cisco.com
Teams Watchlist Login
Unerledigt Login

A vulnerability in CLI of Cisco Firepower Threat Defense (FTD) Software could allow an authenticated, local attacker to inject XML into the command parser. This vulnerability is due to insufficient input validation. An attacker could exploit this vulnerability by including crafted input in commands. A successful exploit could allow the attacker to inject XML into the command parser, which could result in unexpected processing of the command and unexpected command output.

Betroffene Produkte Warnungen 0 Metriken 4 CWE 1 Referenzen 4

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Cisco ≫ Firepower Threat Defense Version < 6.4.0.15

Cisco ≫ Firepower Threat Defense Version >= 6.5.0 < 6.6.5.2

Cisco ≫ Firepower Threat Defense Version >= 6.7.0 < 7.0.2

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.15%	0.361

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	7.8	1.8	5.9	CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvd@nist.gov	4.6	3.9	6.4	AV:L/AC:L/Au:N/C:P/I:P/A:P
psirt@cisco.com	4.4	1.8	2.5	CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

CWE-91 XML Injection (aka Blind XPath Injection)

The product does not properly neutralize special elements that are used in XML, allowing attackers to modify the syntax, content, or commands of the XML before it is processed by an end system.

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ftd-xmlinj-8GWjGzKe

Vendor Advisory

https://nvd.nist.gov/vuln/detail/CVE-2022-20729

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2022-20729

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2022-20729

EUVD