Multiple vulnerabilities in Cisco BroadWorks CommPilot Application Software
| Risk | Medium |
| Patch available | YES |
| Number of vulnerabilities | 2 |
| CVE-ID | CVE-2022-20951 CVE-2022-20958 |
| CWE-ID | CWE-36 CWE-918 |
| Exploitation vector | Network |
| Public exploit |
Public exploit code for vulnerability #1 is available. Public exploit code for vulnerability #2 is available. |
| Vulnerable software Subscribe |
BroadWorks CommPilot Application Software Server applications / Other server solutions |
| Vendor |
Security Bulletin
This security bulletin contains information about 2 vulnerabilities.
1) Absolute Path Traversal
EUVDB-ID: #VU68971
Risk: Medium
CVSSv3.1: 7.5 [CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:H/E:P/RL:O/RC:C]
CVE-ID: CVE-2022-20951
CWE-ID:
CWE-36 - Absolute Path Traversal
Exploit availability: No
DescriptionThe vulnerability allows a remote user to execute arbitrary commands on the system.
The vulnerability exists due to insufficient validation of user-supplied input in the web-based management interface. A remote authenticated user can send a specially crafted HTTP request and execute arbitrary OS commands on the device as the bworks user.
MitigationInstall updates from vendor's website.
Vulnerable software versionsBroadWorks CommPilot Application Software: before 24.0.944
External linkshttp://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-broadworks-ssrf-BJeQfpp
http://bst.cloudapps.cisco.com/bugsearch/bug/CSCwd06681
http://www.shielder.com/advisories/cisco-broadworks-commpilot-ssrf/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.
2) Server-Side Request Forgery (SSRF)
EUVDB-ID: #VU68972
Risk: Medium
CVSSv3.1: 5.8 [CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N/E:P/RL:O/RC:C]
CVE-ID: CVE-2022-20958
CWE-ID:
CWE-918 - Server-Side Request Forgery (SSRF)
Exploit availability: No
DescriptionThe disclosed vulnerability allows a user attacker to perform SSRF attacks.
The vulnerability exists due to insufficient validation of user-supplied input. A remote user can send a specially crafted HTTP request and trick the application to initiate requests to arbitrary systems.
Successful exploitation of this vulnerability may allow a remote attacker gain access to sensitive data, located in the local network or send malicious requests to other servers from the vulnerable system.
MitigationInstall updates from vendor's website.
Vulnerable software versionsBroadWorks CommPilot Application Software: before 24.0.944
External linkshttp://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-broadworks-ssrf-BJeQfpp
http://bst.cloudapps.cisco.com/bugsearch/bug/CSCwd04685
http://www.shielder.com/advisories/cisco-broadworks-commpilot-authenticated-remote-code-execution/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.
