Issued: Sunday, 6 November, 2022 |
Last Revision: Sunday, 6 November, 2022 |
Vendor: |
Product: |
Severity Level: |
Cisco release patches for Identity services engine cross-site request forgery / services engine insufficient access control Identity Services Engine (ISE).
The most severe of these issues is CVE-2022-2096, a cross-site request forgery (CSRF) flaw in Identity Services Engine (ISE) that could allow an unauthenticated, remote attacker to perform arbitrary actions on a vulnerable device.
Cisco ISE is also affected by CVE-2022-20956, an authorization bypass that exists because of improper access control in the web-based management interface, and which can be exploited using crafted HTTP requests. A successful exploit could allow the attacker to list, download, and delete certain files that they should not have access to.
| CVE/Vulnerability | Description | CVSS 3.1 Base Score | Exploitable |
| |
| CVE-2022-20961 | Cisco Identity Services Engine Cross-Site Request Forgery Vulnerability | 8.8 | No |
| |
| CVE-2022-20956 | Cisco Identity Services Engine Insufficient Access Control Vulnerability | 7.1 | Yes |
| |
Table 1: Vulnerability details
| CVE/Vulnerability | Product(s) Detail |
| |
| CVE-2022-20961 | Prior to 2.6p12 from 2.7 Prior to 2.7p8 from 3.0 Prior to 3.0p6 from 3.1 Prior to 3.1p4 |
| |
| CVE-2022-20956 | 3.0 and later |
| |
Table 2: Vulnerable versions
We advise all entities to update the latest version to mitigate these vulnerabilities.