Cisco TelePresence CE Software Version Downgrade Vulnerability
CVE-2022-20931 Published on November 15, 2024
Cisco Touch 10 Device Downgrade Attack Vulnerability
A vulnerability in the version control of Cisco TelePresence CE Software for Cisco Touch 10 Devices could allow an unauthenticated, adjacent attacker to install an older version of the software on an affected device.
This vulnerability is due to insufficient version control. An attacker could exploit this vulnerability by installing an older version of Cisco TelePresence CE Software on an affected device. A successful exploit could allow the attacker to take advantage of vulnerabilities in older versions of the software.Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.
Vulnerability Analysis
Weakness Type
Exposure of Version-Control Repository to an Unauthorized Control Sphere
The product stores a CVS, git, or other repository in a directory, archive, or other resource that is stored, transferred, or otherwise made accessible to unauthorized actors. Version control repositories such as CVS or git store version-specific metadata and other details within subdirectories. If these subdirectories are stored on a web server or added to an archive, then these could be used by an attacker. This information may include usernames, filenames, path root, IP addresses, and detailed "diff" data about how files have been changed - which could reveal source code snippets that were never intended to be made public.
Products Associated with CVE-2022-20931
Want to know whenever a new CVE is published for Cisco Telepresence Collaboration Endpoint? stack.watch will email you.
Affected Versions
Cisco TelePresence Endpoint Software (TC/CE):- Version CE9.10.2 is affected.
- Version CE9.1.4 is affected.
- Version CE9.9.3 is affected.
- Version CE9.10.3 is affected.
- Version CE9.1.5 is affected.
- Version CE9.2.4 is affected.
- Version CE9.10.1 is affected.
- Version CE9.13.0 is affected.
- Version CE9.1.2 is affected.
- Version CE9.1.1 is affected.
- Version CE9.9.4 is affected.
- Version CE9.2.1 is affected.
- Version CE9.1.3 is affected.
- Version CE9.0.1 is affected.
- Version CE9.1.6 is affected.
- Version CE9.12.4 is affected.
- Version CE9.2.2 is affected.
- Version CE9.12.3 is affected.
- Version CE9.2.3 is affected.
- Version CE9.13.1 is affected.
- Version CE9.14.3 is affected.
- Version CE9.14.4 is affected.
- Version CE9.13.2 is affected.
- Version CE9.12.5 is affected.
- Version CE9.14.5 is affected.
- Version CE9.15.0.10 is affected.
- Version CE9.15.0.11 is affected.
- Version CE9.13.3 is affected.
- Version CE9.15.0.13 is affected.
- Version CE9.14.6 is affected.
- Version CE9.15.3.17 is affected.
- Version CE9.14.7 is affected.
- Version CE9.15.0.19 is affected.
- Version CE9.15.3.19 is affected.
- Version CE9.15.3.18 is affected.
- Version CE9.15.3.22 is affected.
- Version CE9.15.8.12 is affected.
- Version CE9.15.10.8 is affected.
- Version CE9.15.3.26 is affected.
- Version CE9.15.3.25 is affected.
- Version CE9.15.13.0 is affected.
Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.