CVE-2022-20964 — OS Command Injection in Cisco Identity Services Engine

CWE-78 — OS Command Injection CWE-648 — Incorrect Use of Privileged APIs CWE-79 — Cross-site Scripting4 documents4 sources

Severity

8.8HIGHNVD

CNA6.3

EPSS

3.8%

top 11.83%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Cisco Identity Services Engine Cisco Identity Services Engine Software

Timeline

PublishedJan 20

Description

A vulnerability in the web-based management interface of Cisco Identity Services Engine could allow an authenticated, remote attacker to inject arbitrary commands on the underlying operating system. This vulnerability is due to improper validation of user input within requests as part of the web-based management interface. An attacker could exploit this vulnerability by manipulating requests to the web-based management interface to contain operating system commands. A successful exploit could al…

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 2.8 | Impact: 5.9

Affected Packages2 packages

▶CVEListV5cisco/cisco_identity_services_engine_software32 versions+31

▶NVDcisco/identity_services_engine< 2.6.0+5

🔴Vulnerability Details

GHSA

GHSA-fvm6-h6r9-qcr2: A vulnerability in the web-based management interface of Cisco Identity Services Engine could allow an authenticated, remote attacker to inject arbitr↗2023-01-20

▶

CVEList

CVE-2022-20964: A vulnerability in the web-based management interface of Cisco Identity Services Engine could allow an authenticated, remote attacker to inject arbitr↗2023-01-18

▶

📋Vendor Advisories

Cisco

Cisco Identity Services Engine Vulnerabilities↗2022-11-16

▶