Cisco Identity Services Engine Path Traversal (cisco-sa-ise-path-trav-f6M7cs6r)

high Nessus Plugin ID 166907

Synopsis

The remote device is missing a vendor-supplied security patch.

Description

According to its self-reported version, Cisco Identity Services Engine is affected by a path traversal vulnerability. This could allow an authenticated, remote attacker to make unauthorized changes to the file system of an affected device. This vulnerability is due to insufficient input validation. An attacker could exploit this vulnerability by sending a crafted HTTP request with absolute path sequences. A successful exploit could allow the attacker to upload malicious files to arbitrary locations within the file system. Using this method, it is possible to access the underlying operating system and execute commands with system privileges.

Please see the included Cisco BID and Cisco Security Advisory for more information.

Solution

Upgrade to the relevant fixed version referenced in Cisco bug ID CSCwb75941

See Also

http://www.nessus.org/u?81f3ee5f

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwb75941

Plugin Details

Severity: High

ID: 166907

File Name: cisco-sa-ise-path-trav-f6M7cs6r.nasl

Version: 1.5

Type: combined

Family: CISCO

Published: 11/3/2022

Updated: 8/25/2023

Supported Sensors: Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 5.9

CVSS v2

Risk Factor: High

Base Score: 9

Temporal Score: 6.7

Vector: CVSS2#AV:N/AC:L/Au:S/C:C/I:C/A:C

CVSS Score Source: CVE-2022-20962

CVSS v3

Risk Factor: High

Base Score: 8.8

Temporal Score: 7.7

Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

CPE: cpe:/h:cisco:identity_services_engine, cpe:/a:cisco:identity_services_engine, cpe:/a:cisco:identity_services_engine_software

Required KB Items: Host/Cisco/ISE/version

Exploit Ease: No known exploits are available

Patch Publication Date: 11/2/2022

Vulnerability Publication Date: 11/2/2022

Reference Information

CVE: CVE-2022-20962

CWE: 37

CISCO-SA: cisco-sa-ise-path-trav-f6M7cs6r

IAVA: 2022-A-0462-S

CISCO-BUG-ID: CSCwb75941