Overview
A vulnerability in the Cisco IOx application hosting environment of multiple Cisco platforms could allow an authenticated, remote attacker to read arbitrary files from the underlying host filesystem.
Impact
An attacker could exploit this vulnerability by sending a crafted command request using the API. A successful exploit could allow the attacker to read the contents of any file that is located on the host device filesystem.
Details
This vulnerability is due to insufficient path validation of command arguments within the Cisco IOx API.
Solution
Security patch
Upgrade to patched version (see above).
Workaround
There are no workarounds that address this vulnerability.
References
https://nvd.nist.gov/vuln/detail/CVE-2022-20722
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-iox-yuXQ6hFj
Credits
Orange CERT-CC
Cyrille CHATRAS at Orange group
Timeline
Date reported: June 06, 2021
Date fixed: April 13, 2022
Overview
A vulnerability in the Cisco IOx application hosting environment of multiple Cisco platforms could allow an authenticated, remote attacker to read arbitrary files from the underlying host filesystem.
Impact
An attacker could exploit this vulnerability by sending a crafted command request using the API. A successful exploit could allow the attacker to read the contents of any file that is located on the host device filesystem.
Details
This vulnerability is due to insufficient path validation of command arguments within the Cisco IOx API.
Solution
Security patch
Upgrade to patched version (see above).
Workaround
There are no workarounds that address this vulnerability.
References
https://nvd.nist.gov/vuln/detail/CVE-2022-20722
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-iox-yuXQ6hFj
Credits
Orange CERT-CC
Cyrille CHATRAS at Orange group
Timeline
Date reported: June 06, 2021
Date fixed: April 13, 2022