CVE-2022-20914

A vulnerability in the External RESTful Services (ERS) API of Cisco Identity Services Engine (ISE) Software could allow an authenticated, remote attacker to obtain sensitive information. This vulnerability is due to excessive verbosity in a specific REST API output. An attacker could exploit this vulnerability by sending a crafted HTTP request to the affected device. A successful exploit could allow the attacker to obtain sensitive information, including administrative credentials for an external authentication server. Note: To successfully exploit this vulnerability, the attacker must have valid ERS administrative credentials.

CVSS v3 4.9 MEDIUM

4.9^/10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 1.2 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required HIGH

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ise-pwd-WH64AhQF	Vendor Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:cisco:identity_services_engine::::::::
	cpe:2.3:a:cisco:identity_services_engine:2.6.0:-::::::
	cpe:2.3:a:cisco:identity_services_engine:2.6.0:patch1::::::
	cpe:2.3:a:cisco:identity_services_engine:2.6.0:patch10::::::
	cpe:2.3:a:cisco:identity_services_engine:2.6.0:patch2::::::
	cpe:2.3:a:cisco:identity_services_engine:2.6.0:patch3::::::
	cpe:2.3:a:cisco:identity_services_engine:2.6.0:patch5::::::
	cpe:2.3:a:cisco:identity_services_engine:2.6.0:patch6::::::
	cpe:2.3:a:cisco:identity_services_engine:2.6.0:patch7::::::
	cpe:2.3:a:cisco:identity_services_engine:2.6.0:patch8::::::
	cpe:2.3:a:cisco:identity_services_engine:2.6.0:patch9::::::
	cpe:2.3:a:cisco:identity_services_engine:2.7.0:-::::::
	cpe:2.3:a:cisco:identity_services_engine:2.7.0:patch1::::::
	cpe:2.3:a:cisco:identity_services_engine:2.7.0:patch2::::::
	cpe:2.3:a:cisco:identity_services_engine:2.7.0:patch3::::::
	cpe:2.3:a:cisco:identity_services_engine:2.7.0:patch4::::::
	cpe:2.3:a:cisco:identity_services_engine:2.7.0:patch5::::::
	cpe:2.3:a:cisco:identity_services_engine:2.7.0:patch6::::::
	cpe:2.3:a:cisco:identity_services_engine:2.7.0:patch7::::::
	cpe:2.3:a:cisco:identity_services_engine:3.0.0:-::::::
	cpe:2.3:a:cisco:identity_services_engine:3.0.0:patch1::::::
	cpe:2.3:a:cisco:identity_services_engine:3.0.0:patch2::::::
	cpe:2.3:a:cisco:identity_services_engine:3.0.0:patch3::::::
	cpe:2.3:a:cisco:identity_services_engine:3.0.0:patch4::::::
	cpe:2.3:a:cisco:identity_services_engine:3.0.0:patch5::::::
	cpe:2.3:a:cisco:identity_services_engine:3.1:-::::::
	cpe:2.3:a:cisco:identity_services_engine:3.1:patch1::::::

History

12 Aug 2022, 18:20

Type	Values Removed	Values Added
References	~~(CISCO) https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ise-pwd-WH64AhQF -~~	(CISCO) https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ise-pwd-WH64AhQF - Vendor Advisory
CWE		CWE-522
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 4.9
CPE		cpe:2.3:a:cisco:identity_services_engine:2.6.0:patch6:::::: cpe:2.3:a:cisco:identity_services_engine:2.7.0:patch2:::::: cpe:2.3:a:cisco:identity_services_engine:::::::: cpe:2.3:a:cisco:identity_services_engine:2.6.0:patch3:::::: cpe:2.3:a:cisco:identity_services_engine:3.1:-:::::: cpe:2.3:a:cisco:identity_services_engine:2.7.0:patch1:::::: cpe:2.3:a:cisco:identity_services_engine:3.0.0:patch5:::::: cpe:2.3:a:cisco:identity_services_engine:2.7.0:patch4:::::: cpe:2.3:a:cisco:identity_services_engine:2.6.0:patch10:::::: cpe:2.3:a:cisco:identity_services_engine:2.7.0:patch5:::::: cpe:2.3:a:cisco:identity_services_engine:2.6.0:patch2:::::: cpe:2.3:a:cisco:identity_services_engine:2.6.0:patch7:::::: cpe:2.3:a:cisco:identity_services_engine:3.1:patch1:::::: cpe:2.3:a:cisco:identity_services_engine:2.6.0:-:::::: cpe:2.3:a:cisco:identity_services_engine:3.0.0:patch3:::::: cpe:2.3:a:cisco:identity_services_engine:2.6.0:patch5:::::: cpe:2.3:a:cisco:identity_services_engine:2.7.0:patch3:::::: cpe:2.3:a:cisco:identity_services_engine:2.7.0:-:::::: cpe:2.3:a:cisco:identity_services_engine:3.0.0:patch4:::::: cpe:2.3:a:cisco:identity_services_engine:3.0.0:-:::::: cpe:2.3:a:cisco:identity_services_engine:2.7.0:patch7:::::: cpe:2.3:a:cisco:identity_services_engine:3.0.0:patch1:::::: cpe:2.3:a:cisco:identity_services_engine:2.6.0:patch8:::::: cpe:2.3:a:cisco:identity_services_engine:2.6.0:patch9:::::: cpe:2.3:a:cisco:identity_services_engine:2.7.0:patch6:::::: cpe:2.3:a:cisco:identity_services_engine:3.0.0:patch2:::::: cpe:2.3:a:cisco:identity_services_engine:2.6.0:patch1::::::

10 Aug 2022, 20:15

Type	Values Removed	Values Added
Summary	A vulnerability in the External RESTful Services (ERS) API of Cisco Identity Services Engine (ISE) Software could allow an authenticated, remote attacker to obtain sensitive information. This vulnerability is due to excessive verbosity in a specific REST API output. An attacker could exploit this vulnerability by sending a crafted HTTP request to the affected device. A successful exploit could allow the attacker to obtain sensitive information, including administrative credentials for an external authentication server. Note: To successfully exploit this vulnerability, the attacker must have valid ERS administrative credentials.	A vulnerability in the External RESTful Services (ERS) API of Cisco Identity Services Engine (ISE) Software could allow an authenticated, remote attacker to obtain sensitive information. This vulnerability is due to excessive verbosity in a specific REST API output. An attacker could exploit this vulnerability by sending a crafted HTTP request to the affected device. A successful exploit could allow the attacker to obtain sensitive information, including administrative credentials for an external authentication server. Note: To successfully exploit this vulnerability, the attacker must have valid ERS administrative credentials.

10 Aug 2022, 09:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2022-08-10 09:15

Updated : 2024-02-04 22:51

NVD link : CVE-2022-20914

Mitre link : CVE-2022-20914

CVE.ORG link : CVE-2022-20914

JSON object : View

Products Affected

cisco

identity_services_engine

CWE

CWE-522

Insufficiently Protected Credentials

CWE-549

Missing Password Field Masking

4.9 /10