CVE-2022-20850

EPSS 0.03%
Veröffentlicht 30.09.2022 19:15:12
Zuletzt bearbeitet 21.11.2024 06:43:41
Quelle psirt@cisco.com
Teams Watchlist Login
Unerledigt Login

A vulnerability in the CLI of stand-alone Cisco IOS XE SD-WAN Software and Cisco SD-WAN Software could allow an authenticated, local attacker to delete arbitrary files from the file system of an affected device. This vulnerability is due to insufficient input validation. An attacker could exploit this vulnerability by injecting arbitrary file path information when using commands in the CLI of an affected device. A successful exploit could allow the attacker to delete arbitrary files from the file system of the affected device.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 2 Referenzen 4

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Cisco ≫ Sd-wan Vbond Orchestrator Version < 18.4.5

Cisco ≫ Sd-wan Vmanage Version < 18.4.5

Cisco ≫ Sd-wan Vsmart Controller Version < 18.4.5

Cisco ≫ Ios Xe Sd-wan Version < 16.10.1

Cisco ≫ Sd-wan Version < 18.4.5

   Cisco ≫ 1100-4g Integrated Services Router Version-
   Cisco ≫ 1100-6g Integrated Services Router Version-
   Cisco ≫ 1100 Integrated Services Router Version-
   Cisco ≫ Vedge 100 Version-
   Cisco ≫ Vedge 1000 Version-
   Cisco ≫ Vedge 100b Version-
   Cisco ≫ Vedge 100m Version-
   Cisco ≫ Vedge 2000 Version-
   Cisco ≫ Vedge 5000 Version-

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.03%	0.067

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	7.1	1.8	5.2	CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H
psirt@cisco.com	5.5	1.8	3.6	CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

CWE-20 Improper Input Validation

The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.

CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-arb-file-delete-VB2rVcQv

Vendor Advisory

https://nvd.nist.gov/vuln/detail/CVE-2022-20850

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2022-20850

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2022-20850

EUVD