cisco-sa-cucm-imp-afr-YBFLNyzd: Cisco Unified Communications Products Arbitrary File Read Vulnerability
First published: Wed Jul 06 2022(Updated: )
A vulnerability in the database user privileges of Cisco Unified Communications Manager (Unified CM), Cisco Unified Communications Manager Session Management Edition (Unified CM SME), and Cisco Unified Communications Manager IM & Presence Service (Unified CM IM&P) could allow an authenticated, remote attacker to read arbitrary files on the underlying operating system of an affected device. This vulnerability is due to insufficient file permission restrictions. An attacker could exploit this vulnerability by sending a crafted command from the API to the application. A successful exploit could allow the attacker to read arbitrary files on the underlying operating system of the affected device. The attacker would need valid user credentials to exploit this vulnerability. Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability. This advisory is available at the following link:https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-cucm-imp-afr-YBFLNyzd
Credit: Dan Marin Deloitte
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Cisco Unified CM and Unified CM SME | >=10.5=11.5=12.0=12.5<=14<14SU2 | 14SU2 |
| Cisco Unified CM IM&P |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is the vulnerability ID?
The vulnerability ID is cisco-sa-cucm-imp-afr-YBFLNyzd.
What is the title of the vulnerability?
The title of the vulnerability is Cisco Unified Communications Products Arbitrary File Read Vulnerability.
What is affected by this vulnerability?
This vulnerability affects Cisco Unified Communications Manager (Unified CM), Cisco Unified Communications Manager Session Management Edition (Unified CM SME), and Cisco Unified Communications Manager IM & Presence Service (Unified CM IM&P).
What is the severity of the vulnerability?
The severity of the vulnerability is medium with a CVSS score of 6.5.
How can I fix this vulnerability?
To fix this vulnerability, you should upgrade to Cisco Unified Communications Manager (Unified CM) and Unified CM SME version 14SU2 or apply the necessary patches recommended by Cisco.
- agent/type
- agent/last-modified-date
- agent/softwarecombine
- agent/first-publish-date
- collector/cisco-advisory
- source/Cisco
- agent/software-canonical-lookup
- agent/references
- agent/title
- agent/severity
- agent/author
- agent/weakness
- agent/tags
- agent/description
- agent/event
- vendor/cisco
- canonical/cisco unified cm and unified cm sme
- version/cisco unified cm and unified cm sme/10.5
- version/cisco unified cm and unified cm sme/11.5
- version/cisco unified cm and unified cm sme/12.0
- version/cisco unified cm and unified cm sme/12.5
- version/cisco unified cm and unified cm sme/14
- canonical/cisco unified cm im&p