CVE-2022-20791: Cisco Unified Communications Products Arbitrary File Read Vulnerability
First published: Wed Jul 06 2022(Updated: )
A vulnerability in the database user privileges of Cisco Unified Communications Manager (Unified CM), Cisco Unified Communications Manager Session Management Edition (Unified CM SME), and Cisco Unified Communications Manager IM & Presence Service (Unified CM IM&P) could allow an authenticated, remote attacker to read arbitrary files on the underlying operating system of an affected device. This vulnerability is due to insufficient file permission restrictions. An attacker could exploit this vulnerability by sending a crafted command from the API to the application. A successful exploit could allow the attacker to read arbitrary files on the underlying operating system of the affected device. The attacker would need valid user credentials to exploit this vulnerability.
Credit: ykramarz@cisco.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Cisco Unified Communications Manager | <=11.5\(1.10000.6\) | |
| Cisco Unified Communications Manager | <=11.5\(1.10000.6\) | |
| Cisco Unified Communications Manager | >=12.5<=12.5\(1.10000.22\) | |
| Cisco Unified Communications Manager | >=12.5<=12.5\(1.10000.22\) | |
| Cisco Unified Communications Manager | >=14.0<=14.0\(1.10000.20\) | |
| Cisco Unified Communications Manager | >=14.0<=14.0\(1.10000.20\) | |
| Cisco Unified Communications Manager IM and Presence Service | <=12.5\(1\) | |
| Cisco Unified Communications Manager IM and Presence Service | >=14.0<14su2 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is the vulnerability ID for this Cisco Unified Communications Manager vulnerability?
The vulnerability ID for this Cisco Unified Communications Manager vulnerability is CVE-2022-20791.
What is the severity of CVE-2022-20791?
The severity of CVE-2022-20791 is medium with a CVSS score of 6.5.
Which versions of Cisco Unified Communications Manager are affected by CVE-2022-20791?
The affected versions of Cisco Unified Communications Manager are 11.5(1.10000.6) to 12.5(1.10000.22) and 14.0(1.10000.20) to 14.0(1.10000.20).
What is the affected software for CVE-2022-20791?
The affected software for CVE-2022-20791 includes Cisco Unified Communications Manager (Unified CM), Cisco Unified Communications Manager Session Management Edition (Unified CM SME), and Cisco Unified Communications Manager IM & Presence Service (Unified CM IM&P).
Where can I find more information about CVE-2022-20791?
You can find more information about CVE-2022-20791 on the Cisco Security Advisory page: [link](https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-cucm-imp-afr-YBFLNyzd).
- collector/nvd-index
- agent/type
- agent/softwarecombine
- collector/mitre-cve
- source/MITRE
- agent/references
- agent/weakness
- agent/author
- agent/last-modified-date
- agent/severity
- agent/title
- agent/tags
- agent/description
- agent/first-publish-date
- agent/event
- vendor/cisco
- canonical/cisco unified communications manager
- version/cisco unified communications manager/11.5\(1.10000.6\)
- version/cisco unified communications manager/12.5
- version/cisco unified communications manager/12.5\(1.10000.22\)
- version/cisco unified communications manager/14.0
- version/cisco unified communications manager/14.0\(1.10000.20\)
- canonical/cisco unified communications manager im and presence service
- version/cisco unified communications manager im and presence service/12.5\(1\)
- version/cisco unified communications manager im and presence service/14.0