CVE-2022-20930

CWE-88 CWE-78 — OS Command Injection4 documents4 sources

Severity

6.7MEDIUM

EPSS

0.3%

top 44.19%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Cisco Sd-wan Cisco Sd-wan Vbond Orchestrator Cisco Sd-wan Vmanage +3 more

Timeline

PublishedSep 30

Latest updateOct 1

Description

A vulnerability in the CLI of Cisco SD-WAN Software could allow an authenticated, local attacker to overwrite and possibly corrupt files on an affected system. This vulnerability is due to insufficient input validation. An attacker could exploit this vulnerability by injecting arbitrary commands that are executed as the root user account. A successful exploit could allow the attacker to overwrite arbitrary system files, which could result in a denial of service (DoS) condition.

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:HExploitability: 0.8 | Impact: 5.9

Affected Packages6 packages

▶NVDcisco/sd-wan< 20.6.2+2

▶NVDcisco/sd-wan_vmanage< 20.6.2

▶NVDcisco/sd-wan_vsmart_controller< 20.6.2+2

▶NVDcisco/sd-wan_vbond_orchestrator< 20.6.2+2

▶CVEListV5cisco/cisco_sd-wan_vmanagen/a

🔴Vulnerability Details

GHSA

GHSA-mhjq-pch7-qpc8: A vulnerability in the CLI of Cisco SD-WAN Software could allow an authenticated, local attacker to overwrite and possibly corrupt files on an affecte↗2022-10-01

▶

CVEList

Cisco SD-WAN Software Arbitrary File Corruption Vulnerability↗2022-09-30

▶

📋Vendor Advisories

Cisco

Cisco SD-WAN Software Arbitrary File Corruption Vulnerability↗2022-09-28

▶