Multiple vulnerabilities in Cisco Expressway Series and Cisco TelePresence Video Communication Server

Published: 2022-07-07

Risk	Medium
Patch available	YES
Number of vulnerabilities	2
CVE-ID	CVE-2022-20812 CVE-2022-20813
CWE-ID	CWE-22 CWE-158
Exploitation vector	Network
Public exploit	N/A
Vulnerable software Subscribe	Expressway Series Server applications / Conferencing, Collaboration and VoIP solutions Cisco TelePresence Video Communication Server Server applications / Other server solutions
Vendor	Cisco Systems, Inc

Security Bulletin

This security bulletin contains information about 2 vulnerabilities.

1) Path traversal

EUVDB-ID: #VU64962

Risk: Low

CVSSv3.1: 7.8 [CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:L/E:U/RL:O/RC:C]

CVE-ID: CVE-2022-20812

CWE-ID: CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Exploit availability: No

Description

The vulnerability allows a remote user to perform directory traversal attacks.

The vulnerability exists due to input validation error when processing directory traversal sequences in the cluster database API. A remote administrator can send a specially crafted HTTP request and overwrite arbitrary files on the system.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Expressway Series: 14.0

Cisco TelePresence Video Communication Server: 14.0

External links

http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-expressway-overwrite-3buqW8LH

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated privileged user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

2) Improper Neutralization of Null Byte or NUL Character

EUVDB-ID: #VU64963

Risk: Medium

CVSSv3.1: 6.4 [CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2022-20813

CWE-ID: CWE-158 - Improper Neutralization of Null Byte or NUL Character