CVE-2014-7991 — Improper Input Validation in Cisco Unified Communications Manager

CWE-310 CWE-20 — Improper Input Validation4 documents4 sources

Severity

4.3MEDIUMNVD

EPSS

0.3%

top 47.40%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Cisco Unified Communications Manager

Timeline

PublishedNov 14

Latest updateMay 17

Description

The Remote Mobile Access Subsystem in Cisco Unified Communications Manager (CM) 10.0(1) and earlier does not properly validate the Subject Alternative Name (SAN) field of an X.509 certificate, which allows man-in-the-middle attackers to spoof VCS core devices via a crafted certificate issued by a legitimate Certification Authority, aka Bug ID CSCuq86376.

CVSS vector

AV:N/AC:M/C:N/I:P/A:NExploitability: 8.6 | Impact: 2.9

Affected Packages1 packages

▶NVDcisco/unified_communications_manager10.0\(1\)+1

🔴Vulnerability Details

GHSA

GHSA-pwqj-948j-h8ph: The Remote Mobile Access Subsystem in Cisco Unified Communications Manager (CM) 10↗2022-05-17

▶

CVEList

CVE-2014-7991: The Remote Mobile Access Subsystem in Cisco Unified Communications Manager (CM) 10↗2014-11-14

▶

📋Vendor Advisories

Cisco

Cisco Unified Communications Manager Remote Mobile Access Subsystem Vulnerability↗2014-11-11

▶