CVE-2022-20752
06.07.2022, 21:15
A vulnerability in Cisco Unified Communications Manager (Unified CM), Cisco Unified Communications Manager Session Management Edition (Unified CM SME), and Cisco Unity Connection could allow an unauthenticated, remote attacker to perform a timing attack. This vulnerability is due to insufficient protection of a system password. An attacker could exploit this vulnerability by observing the time it takes the system to respond to various queries. A successful exploit could allow the attacker to determine a sensitive system password.Enginsight
| Vendor | Product | Version |
|---|---|---|
| cisco | unified_communications_manager | 12.5\(1\) ≤ 𝑥 < 12.5\(1\)su6 |
| cisco | unified_communications_manager | 12.5\(1\) ≤ 𝑥 < 12.5\(1\)su6 |
| cisco | unified_communications_manager | 14.0 ≤ 𝑥 < 14su1 |
| cisco | unified_communications_manager | 14.0 ≤ 𝑥 < 14su1 |
| cisco | unity_connection | 12.5\(1\) ≤ 𝑥 < 12.5\(1\)su6 |
| cisco | unity_connection | 14.0 ≤ 𝑥 < 14su1 |
𝑥
= Vulnerable software versions
Common Weakness Enumeration
- CWE-208 - Observable Timing DiscrepancyTwo separate operations in a product require different amounts of time to complete, in a way that is observable to an actor and reveals security-relevant information about the state of the product, such as whether a particular operation was successful or not.
- CWE-203 - Observable DiscrepancyThe product behaves differently or sends different responses under different circumstances in a way that is observable to an unauthorized actor, which exposes security-relevant information about the state of the product, such as whether a particular operation was successful or not.