Cyber Resilience

CVE-2022-20732

HighLPE

Published: 21 April 2022

Published
21 April 2022
Modified
21 November 2024
KEV Added
Patch
CVSS Score v3.1 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0012 30.5th percentile
Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2022-20732 is a high-severity Improper Access Control (CWE-284) vulnerability in Cisco Virtualized Infrastructure Manager. Its CVSS base score is 7.8 (High).

Operationally, ranked at the 30.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

EU & UK References

Vulnerability details

A vulnerability in the configuration file protections of Cisco Virtualized Infrastructure Manager (VIM) could allow an authenticated, local attacker to access confidential information and elevate privileges on an affected device. This vulnerability is due to improper access permissions for certain…

more

configuration files. An attacker with low-privileged credentials could exploit this vulnerability by accessing an affected device and reading the affected configuration files. A successful exploit could allow the attacker to obtain internal database credentials, which the attacker could use to view and modify the contents of the database. The attacker could use this access to the database to elevate privileges on the affected device.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

cisco
virtualized infrastructure manager
≤ 4.2.2

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-284 CWE-276

The access control policy and procedures directly mandate and enforce proper access control mechanisms across the organization.

addresses: CWE-276 CWE-284

Guides setting of default permissions to the minimum required level.

addresses: CWE-284 CWE-276

Defines roles, responsibilities, and access rules for configuration management activities, making improper access to configuration resources harder to exploit.

addresses: CWE-284 CWE-276

Baseline includes documented access control settings that are reviewed and maintained, reducing the ability to exploit improper access control.

addresses: CWE-276 CWE-284

Requiring the most restrictive settings instead of defaults prevents incorrect default permissions on resources.

addresses: CWE-284 CWE-276

Explicitly requires protecting the configuration management plan from unauthorized disclosure and modification.

addresses: CWE-284 CWE-276

The policy defines and enforces restrictions on physical access to resources, directly reducing improper access control.

addresses: CWE-276 CWE-284

Tailoring explicitly overrides or scopes default permission assignments in the baseline to match the system's actual risk and operational needs.

References