CVE-2022-20941Small Space of Random Values in Cisco Firepower Management Center

CWE-334Small Space of Random ValuesCWE-331Insufficient EntropyCWE-862Missing AuthorizationCWE-330Use of Insufficiently Random Values4 documents4 sources
Severity
5.3MEDIUMNVD
EPSS
0.3%
top 45.33%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Cisco Firepower Management CenterCisco Secure Firewall Management Center
Timeline
PublishedNov 15
Latest updateNov 16

Description

A vulnerability in the web-based management interface of Cisco Firepower Management Center (FMC) Software could allow an unauthenticated, remote attacker to access sensitive information. This vulnerability is due to missing authorization for certain resources in the web-based management interface together with insufficient entropy in these resource names. An attacker could exploit this vulnerability by sending a series of HTTPS requests to an affected device to enumerate resources on the device.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:NExploitability: 3.9 | Impact: 1.4

Affected Packages2 packages

CVEListV5cisco/cisco_firepower_management_center62 versions+61

🔴Vulnerability Details

2
GHSA
GHSA-64qf-4r7v-w6j5: A vulnerability in the web-based management interface of Cisco Firepower Management Center (FMC) Software could allow an unauthenticated, remote attac2022-11-16
CVEList
CVE-2022-20941: A vulnerability in the web-based management interface of Cisco Firepower Management Center (FMC) Software could allow an unauthenticated, remote attac2022-11-10

📋Vendor Advisories

1
Cisco
Cisco Firepower Management Center Software Information Disclosure Vulnerability2022-11-09
CVE-2022-20941 — Small Space of Random Values in Cisco | cvebase