First published: Wed Jul 06 2022(Updated: )
A vulnerability in Cisco Unified Communications Manager (Unified CM), Cisco Unified Communications Manager Session Management Edition (Unified CM SME), and Cisco Unity Connection could allow an unauthenticated, remote attacker to perform a timing attack. This vulnerability is due to insufficient protection of a system password. An attacker could exploit this vulnerability by observing the time it takes the system to respond to various queries. A successful exploit could allow the attacker to determine a sensitive system password.
Credit: ykramarz@cisco.com
Affected Software | Affected Version | How to fix |
---|---|---|
Cisco Unified Communications Manager | >=12.5\(1\)<12.5\(1\)su6 | |
Cisco Unified Communications Manager | >=12.5\(1\)<12.5\(1\)su6 | |
Cisco Unified Communications Manager | >=14.0<14su1 | |
Cisco Unified Communications Manager | >=14.0<14su1 | |
Cisco Unity Connection | >=12.5\(1\)<12.5\(1\)su6 | |
Cisco Unity Connection | >=14.0<14su1 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
CVE-2022-20752 is a vulnerability in Cisco Unified Communications Manager (Unified CM), Cisco Unified Communications Manager Session Management Edition (Unified CM SME), and Cisco Unity Connection.
CVE-2022-20752 allows an unauthenticated, remote attacker to perform a timing attack, potentially leading to unauthorized access or information disclosure.
CVE-2022-20752 affects Cisco Unified Communications Manager (Unified CM) versions 12.5(1) and 14.0, as well as Cisco Unified Communications Manager Session Management Edition (Unified CM SME) and Cisco Unity Connection versions 12.5(1) and 14.0.
CVE-2022-20752 has a severity rating of 5.3 (Medium).
To mitigate CVE-2022-20752, Cisco recommends upgrading to a fixed software release as described in the Cisco Security Advisory.