Cisco Smart Software Manager On-Prem: Priv Esc via Web UI Logs
CVE-2022-20939 Published on November 15, 2024
Cisco Smart Software Manager On-Prem Privilege Escalation Vulnerability
A vulnerability in the web-based management interface of Cisco Smart Software Manager On-Prem could allow an authenticated, remote attacker to elevate privileges on an affected system.
This vulnerability is due to inadequate protection of sensitive user information. An attacker could exploit this vulnerability by accessing certain logs on an affected system. A successful exploit could allow the attacker to use the obtained information to elevate privileges to System Admin.Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.
Vulnerability Analysis
CVE-2022-20939 can be exploited with network access, and requires small amount of user privileges. This vulnerability is considered to have a low attack complexity. The potential impact of an exploit of this vulnerability is considered to have a small impact on confidentiality, a small impact on integrity and availability.
Weakness Type
Insecure Storage of Sensitive Information
The software stores sensitive information without properly limiting read or write access by unauthorized actors. If read access is not properly restricted, then attackers can steal the sensitive information. If write access is not properly restricted, then attackers can modify and possibly delete the data, causing incorrect results and possibly a denial of service.
Products Associated with CVE-2022-20939
stack.watch emails you whenever new vulnerabilities are published in Cisco Smart Software Manager On Prem or Cisco Smart Software Manager Satellite. Just hit a watch button to start following.
Affected Versions
Cisco Smart Software Manager On-Prem:- Version 7-202001 is affected.
- Version 1.1 is affected.
- Version 6.3.0 is affected.
- Version 8-202004 is affected.
- Version 5.1.0 (LD) is affected.
- Version 8-202006 is affected.
- Version 1.2 is affected.
- Version 1.3 is affected.
- Version 8-202012 is affected.
- Version 8-202010 is affected.
- Version 8-202008 is affected.
- Version 8-202102 is affected.
- Version 1.4 is affected.
- Version 8-202105 is affected.
- Version 8-202108 is affected.
- Version 8-202112 is affected.
- Version 8-202201 is affected.
Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.