First published: Wed Mar 08 2023(Updated: )
A vulnerability in the upgrade signature verification of Cisco Enterprise NFV Infrastructure Software (NFVIS) could allow an unauthenticated, local attacker to provide an unauthentic upgrade file for upload. This vulnerability is due to insufficient cryptographic signature verification of upgrade files. An attacker could exploit this vulnerability by providing an administrator with an unauthentic upgrade file. A successful exploit could allow the attacker to fully compromise the Cisco NFVIS system.
Credit: ykramarz@cisco.com ykramarz@cisco.com
Affected Software | Affected Version | How to fix |
---|---|---|
Cisco Enterprise NFV Infrastructure Software | >=3.5.1<4.9.1 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
CVE-2022-20929 is a vulnerability in the upgrade signature verification of Cisco Enterprise NFV Infrastructure Software (NFVIS) that could allow an unauthenticated, local attacker to provide an unauthentic upgrade file for upload.
CVE-2022-20929 affects Cisco Enterprise NFV Infrastructure Software versions 3.5.1 to 4.9.1.
The severity of CVE-2022-20929 is high with a CVSS score of 7.8.
An unauthenticated, local attacker can exploit CVE-2022-20929 by providing an unauthentic upgrade file for upload.
Yes, Cisco has released a security advisory with mitigation details for CVE-2022-20929. Please refer to the Cisco Security Advisory for more information.