CVE-2020-3177: Cisco Unified Communications Manager Path Traversal Vulnerability
First published: Wed Apr 15 2020(Updated: )
A vulnerability in the Tool for Auto-Registered Phones Support (TAPS) of Cisco Unified Communications Manager (UCM) and Cisco Unified Communications Manager Session Management Edition (SME) could allow an unauthenticated, remote attacker to conduct directory traversal attacks on an affected device. The vulnerability is due to insufficient validation of user-supplied input to the TAPS interface of the affected device. An attacker could exploit this vulnerability by sending a crafted request to the TAPS interface. A successful exploit could allow the attacker to read arbitrary files in the system.
Credit: ykramarz@cisco.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Cisco Unified Communications Manager | =10.5\(2.10000.5\) | |
| Cisco Unified Communications Manager | =11.5\(1.10000.6\) | |
| Cisco Unified Communications Manager | =12.0\(1.10000.10\) | |
| Cisco Unified Communications Manager | =12.5\(1.10000.22\) | |
| Cisco Unified Contact Center Express | =12.0\(1\) |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is CVE-2020-3177?
CVE-2020-3177 is a vulnerability in Cisco Unified Communications Manager (UCM) and Cisco Unified Communications Manager Session Management Edition (SME) that allows a remote attacker to conduct directory traversal attacks on an affected device.
How severe is CVE-2020-3177?
CVE-2020-3177 has a severity rating of 7.5 out of 10 (high severity).
Which Cisco products are affected by CVE-2020-3177?
Cisco Unified Communications Manager versions 10.5(2.10000.5), 11.5(1.10000.6), 12.0(1.10000.10), and 12.5(1.10000.22), as well as Cisco Unified Contact Center Express version 12.0(1), are affected by CVE-2020-3177.
How can an attacker exploit CVE-2020-3177?
An attacker can exploit CVE-2020-3177 by sending malicious requests to the Tool for Auto-Registered Phones Support (TAPS) of Cisco Unified Communications Manager (UCM) or Cisco Unified Communications Manager Session Management Edition (SME) to perform directory traversal attacks.
Where can I find more information about CVE-2020-3177?
You can find more information about CVE-2020-3177 on the Cisco Security Advisory page: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-cucm-taps-path-trav-pfsFO93r
- collector/nvd-index
- agent/type
- agent/softwarecombine
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- agent/references
- agent/severity
- agent/weakness
- agent/title
- agent/author
- agent/tags
- agent/description
- agent/first-publish-date
- agent/event
- vendor/cisco
- canonical/cisco unified communications manager
- version/cisco unified communications manager/10.5\(2.10000.5\)
- version/cisco unified communications manager/11.5\(1.10000.6\)
- version/cisco unified communications manager/12.0\(1.10000.10\)
- version/cisco unified communications manager/12.5\(1.10000.22\)
- canonical/cisco unified contact center express
- version/cisco unified contact center express/12.0\(1\)