Cisco ECE Web UI Username Enumeration (CVE-2022-20633)
CVE-2022-20633 Published on November 15, 2024
Cisco Enterprise Chat and Email Username Enumeration Vulnerability
A vulnerability in the web-based management interface of Cisco ECE could allow an unauthenticated, remote attacker to perform a username enumeration attack against an affected device.
This vulnerability is due to differences in authentication responses that are sent back from the application as part of an authentication attempt. An attacker could exploit this vulnerability by sending authentication requests to an affected device. A successful exploit could allow the attacker to confirm existing user accounts, which could be used in further attacks.
Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.
Vulnerability Analysis
CVE-2022-20633 can be exploited with network access, and does not require authorization privileges or user interaction. This vulnerability is considered to have a low attack complexity. The potential impact of an exploit of this vulnerability is considered to have a small impact on confidentiality, a small impact on integrity and availability.
Weakness Type
Observable Response Discrepancy
The product provides different responses to incoming requests in a way that reveals internal state information to an unauthorized actor outside of the intended control sphere. This issue frequently occurs during authentication, where a difference in failed-login messages could allow an attacker to determine if the username is valid or not. These exposures can be inadvertent (bug) or intentional (design).
Products Associated with CVE-2022-20633
You can be notified by email with stack.watch whenever vulnerabilities like CVE-2022-20633 are published in Cisco Enterprise Chat And Email:
Affected Versions
Cisco Enterprise Chat and Email:- Version 11.6(1)_ES3 is affected.
- Version 11.6(1)_ES4 is affected.
- Version 12.0(1)_ES6 is affected.
- Version 11.6(1)_ES8 is affected.
- Version 12.0(1)_ES5a is affected.
- Version 11.6(1)_ES9 is affected.
- Version 12.0(1)_ES6_ET1 is affected.
- Version 11.6(1)_ES6 is affected.
- Version 11.6(1)_ES5 is affected.
- Version 12.5(1)_ET1 is affected.
- Version 12.5(1) is affected.
- Version 12.5(1)_ES3_ET1 is affected.
- Version 12.0(1)_ES3 is affected.
- Version 11.6(1)_ES11 is affected.
- Version 12.0(1)_ES4 is affected.
- Version 12.0(1)_ES5 is affected.
- Version 11.6(1)_ES2 is affected.
- Version 11.6(1)_ES9a is affected.
- Version 11.6(1)_ES10 is affected.
- Version 12.0(1)_ES1 is affected.
- Version 12.0(1) is affected.
- Version 12.5(1)_ES3 is affected.
- Version 12.6(1) is affected.
- Version 11.5(1) is affected.
- Version 12.0(1)_ES2 is affected.
- Version 11.6(1)_ES7 is affected.
- Version 12.5(1)_ES2 is affected.
- Version 12.6(1)_ET1 is affected.
- Version 11.6(1) is affected.
- Version 12.5(1)_ES1 is affected.
- Before 12.6(1)_ES1 is affected.
Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.