CVE-2009-0632 — Cisco Unified Communications Manager vulnerability

CWE-255 CWE-2644 documents4 sources

Severity

9.0CRITICALNVD

EPSS

1.3%

top 20.16%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Cisco Unified Communications Manager

Timeline

PublishedMar 12

Latest updateMay 2

Description

The IP Phone Personal Address Book (PAB) Synchronizer feature in Cisco Unified Communications Manager (aka CUCM, formerly CallManager) 4.1, 4.2 before 4.2(3)SR4b, 4.3 before 4.3(2)SR1b, 5.x before 5.1(3e), 6.x before 6.1(3), and 7.0 before 7.0(2) sends privileged directory-service account credentials to the client in cleartext, which allows remote attackers to modify the CUCM configuration and perform other privileged actions by intercepting these credentials, and then using them in requests unr…

CVSS vector

AV:N/AC:L/C:C/I:C/A:CExploitability: 8.0 | Impact: 10.0

Affected Packages1 packages

▶NVDcisco/unified_communications_manager30 versions+29

Patches

Patch: www.cisco.com ↗Patch: www.vupen.com ↗Patch: www.cisco.com ↗

🔴Vulnerability Details

GHSA

GHSA-cfrx-jj8w-q779: The IP Phone Personal Address Book (PAB) Synchronizer feature in Cisco Unified Communications Manager (aka CUCM, formerly CallManager) 4↗2022-05-02

▶

CVEList

CVE-2009-0632: The IP Phone Personal Address Book (PAB) Synchronizer feature in Cisco Unified Communications Manager (aka CUCM, formerly CallManager) 4↗2009-03-12

▶

📋Vendor Advisories

Cisco

Cisco Unified Communications Manager IP Phone Personal Address Book Synchronizer Privilege Escalation Vulnerability↗2009-03-11

▶