Vulnerabilities > CVE-2022-20752 - Information Exposure Through Discrepancy vulnerability in Cisco Unified Communications Manager and Unity Connection

CVSS 5.3 - MEDIUM

Attack vector

NETWORK

Attack complexity

LOW

Privileges required

NONE

Confidentiality impact

LOW

Integrity impact

NONE

Availability impact

NONE

network

low complexity

cisco

CWE-203

NVD

Published: 2022-07-06

Updated: 2023-11-07

Summary

A vulnerability in Cisco Unified Communications Manager (Unified CM), Cisco Unified Communications Manager Session Management Edition (Unified CM SME), and Cisco Unity Connection could allow an unauthenticated, remote attacker to perform a timing attack. This vulnerability is due to insufficient protection of a system password. An attacker could exploit this vulnerability by observing the time it takes the system to respond to various queries. A successful exploit could allow the attacker to determine a sensitive system password.

Vulnerable Configurations

Part	Description	Count
Application	Cisco Cisco Unified Communications Manager 14.0 Cisco Unified Communications Manager 14.0\(1.10000.20\) Cisco Unified Communications Manager 12.5\(1\) Cisco Unified Communications Manager 12.5\(1\)Su1 Cisco Unified Communications Manager 12.5\(1\)Su2 Cisco Unified Communications Manager 12.5\(1\)Su3 Cisco Unified Communications Manager 12.5\(1\)Su4 Cisco Unified Communications Manager 12.5\(1\)Su5 Cisco Unity Connection 14.0 Cisco Unity Connection 12.5\(1\) Cisco Unity Connection 12.5\(1\)Su3	18

Common Weakness Enumeration (CWE)

CWE-203 - Information Exposure Through Discrepancy

References

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ucm-timing-JVbHECOK