Information disclosure in Cisco Smart Software Manager On-Prem



Published: 2022-10-06
Risk Low
Patch available YES
Number of vulnerabilities 1
CVE-ID CVE-2022-20939
CWE-ID CWE-200
Exploitation vector Network
Public exploit N/A
Vulnerable software
Subscribe 		Cisco Smart Software Manager On-Prem
Server applications / Other server solutions

Vendor

Security Bulletin

This security bulletin contains one low risk vulnerability.

1) Information disclosure

EUVDB-ID: #VU67954

Risk: Low

CVSSv3.1: 3.8 [CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2022-20939

CWE-ID: CWE-200 - Information exposure

Exploit availability: No

Description

The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to inadequate protection of sensitive user information in the web-based management interface. A remote user can access certain logs on the target system and use the obtained information to elevate privileges to System Admin.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Cisco Smart Software Manager On-Prem: before 8-202206

External links

http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-cssm-priv-esc-SEjz69dv


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.



###SIDEBAR###