CVE-2022-20664
Published: 15 June 2022
Summary
CVE-2022-20664 is a high-severity Exposure of Sensitive System Information to an Unauthorized Control Sphere (CWE-497) vulnerability in Cisco Secure Email And Web Manager. Its CVSS base score is 7.7 (High).
Operationally, ranked in the top 40.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2022-25914
Vulnerability details
A vulnerability in the web management interface of Cisco Secure Email and Web Manager, formerly Cisco Security Management Appliance (SMA), and Cisco Email Security Appliance (ESA) could allow an authenticated, remote attacker to retrieve sensitive information from a Lightweight Directory…
more
Access Protocol (LDAP) external authentication server connected to an affected device. This vulnerability is due to a lack of proper input sanitization while querying the external authentication server. An attacker could exploit this vulnerability by sending a crafted query through an external authentication web page. A successful exploit could allow the attacker to gain access to sensitive information, including user credentials from the external authentication server. To exploit this vulnerability, an attacker would need valid operator-level (or higher) credentials.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Review and removal of nonpublic information from publicly accessible systems directly prevents exposure of sensitive data to unauthorized actors.
Data mining protection mechanisms detect and block unauthorized bulk extraction of sensitive data, directly mitigating exposure to unauthorized actors.
Documenting information locations and authorized users enables better protection against unauthorized exposure of sensitive data.
Shielding or other emanation protections directly prevent sensitive information from reaching unauthorized actors via electromagnetic signals.
Minimizing PII in testing/training/research directly reduces the volume of sensitive data present in environments where it could be exposed to unauthorized actors.
Categorization identifies sensitive data so that confidentiality protections commensurate with impact level are selected and documented.
Concealment techniques directly prevent real sensitive data from being exposed to adversaries.
Restricts error message visibility to authorized recipients, directly reducing unauthorized exposure of sensitive information.