CVE-2022-20759

Exploit

EPSS 7.36%
Veröffentlicht 03.05.2022 04:15:09
Zuletzt bearbeitet 21.11.2024 06:43:29
Quelle psirt@cisco.com
Teams Watchlist Login
Unerledigt Login

A vulnerability in the web services interface for remote access VPN features of Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software could allow an authenticated, but unprivileged, remote attacker to elevate privileges to level 15. This vulnerability is due to improper separation of authentication and authorization scopes. An attacker could exploit this vulnerability by sending crafted HTTPS messages to the web services interface of an affected device. A successful exploit could allow the attacker to gain privilege level 15 access to the web management interface of the device. This includes privilege level 15 access to the device using management tools like the Cisco Adaptive Security Device Manager (ASDM) or the Cisco Security Manager (CSM). Note: With Cisco FTD Software, the impact is lower than the CVSS score suggests because the affected web management interface allows for read access only.

Betroffene Produkte Warnungen 0 Metriken 4 CWE 2 Referenzen 5

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Cisco ≫ Firepower Threat Defense Version < 6.4.0.15

Cisco ≫ Firepower Threat Defense Version >= 6.5.0 < 6.6.5.2

Cisco ≫ Firepower Threat Defense Version >= 6.7.0 < 7.0.2

Cisco ≫ Firepower Threat Defense Version7.1.0

Cisco ≫ Adaptive Security Appliance Software Version < 9.12.4.38

Cisco ≫ Adaptive Security Appliance Software Version >= 9.13.0 < 9.14.4

Cisco ≫ Adaptive Security Appliance Software Version >= 9.15.0 < 9.15.1.21

Cisco ≫ Adaptive Security Appliance Software Version >= 9.16.0 < 9.16.2.14

Cisco ≫ Adaptive Security Appliance Software Version >= 9.17.0 < 9.17.1.7

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	7.36%	0.913

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	8.8	2.8	5.9	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvd@nist.gov	8.5	6.8	10	AV:N/AC:M/Au:S/C:C/I:C/A:C
psirt@cisco.com	8.8	2.8	5.9	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE-266 Incorrect Privilege Assignment

A product incorrectly assigns a privilege to a particular actor, creating an unintended sphere of control for that actor.

CWE-269 Improper Privilege Management

The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor.

https://github.com/orangecertcc/security-research/security/advisories/GHSA-gq88-gqmj-7v24

Third Party Advisory

Exploit

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asaftd-mgmt-privesc-BMFMUvye

Vendor Advisory

https://nvd.nist.gov/vuln/detail/CVE-2022-20759

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2022-20759

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2022-20759

EUVD