CVE-2022-20733 — Improper Authentication in Cisco Identity Services Engine Software

CWE-287 — Improper Authentication4 documents4 sources

Severity

9.8CRITICALNVD

CNA5.3

EPSS

0.5%

top 33.20%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Cisco Identity Services Engine Software Cisco Identity Services Engine

Timeline

PublishedJun 15

Latest updateJun 16

Description

A vulnerability in the login page of Cisco Identity Services Engine (ISE) could allow an unauthenticated, remote attacker to log in without credentials and access all roles without any restrictions. This vulnerability is due to exposed sensitive Security Assertion Markup Language (SAML) metadata. An attacker could exploit this vulnerability by using the exposed SAML metadata to bypass authentication to the user portal. A successful exploit could allow the attacker to access all roles without any…

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages2 packages

▶NVDcisco/identity_services_engine3.1

▶CVEListV5cisco/cisco_identity_services_engine_softwaren/a

🔴Vulnerability Details

GHSA

GHSA-gqhw-x424-g962: A vulnerability in the login page of Cisco Identity Services Engine (ISE) could allow an unauthenticated, remote attacker to log in without credential↗2022-06-16

▶

CVEList

Cisco Identity Services Engine Authentication Bypass Vulnerability↗2022-06-15

▶

📋Vendor Advisories

Cisco

Cisco Identity Services Engine Authentication Bypass Vulnerability↗2022-06-15

▶