cnvd - cnvd-2020-36261

cnvd-2020-36261

Vulnerability from cnvd

Title: Cisco Unified Contact Center Express授权问题漏洞

Description:

Cisco Unified Contact Center Express（Unified CCX）是美国思科（Cisco）公司的一款统一通信解决方案中的客户关系管理组件。该组件支持自助语音服务、呼叫分配和客户访问控制等功能。

Cisco Unified Contact Center Express 12.5(1)之前版本中存在授权问题漏洞，攻击者可通过使用有效的代理凭据进行身份验证，并使用特制的输入执行特定的API调用利用该漏洞更改代理的可用性状态，进而导致拒绝服务。

Severity: 中

Patch Name: Cisco Unified Contact Center Express授权问题漏洞的补丁

Patch Description:

Cisco Unified Contact Center Express 12.5(1)之前版本中存在授权问题漏洞，攻击者可通过使用有效的代理凭据进行身份验证，并使用特制的输入执行特定的API调用利用该漏洞更改代理的可用性状态，进而导致拒绝服务。目前，供应商发布了安全公告及相关补丁信息，修复了此漏洞。

Formal description:

厂商已发布了漏洞修复程序，请及时关注更新： https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-uccx-api-auth-WSx4v7sB

Reference: https://nvd.nist.gov/vuln/detail/CVE-2020-3267 https://www.auscert.org.au/bulletins/ESB-2020.1958/

Impacted products

Name
Cisco Cisco Unified Contact Center Express（Unified CCX） <12.5(1)

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2020-3267"
    }
  },
  "description": "Cisco Unified Contact Center Express\uff08Unified CCX\uff09\u662f\u7f8e\u56fd\u601d\u79d1\uff08Cisco\uff09\u516c\u53f8\u7684\u4e00\u6b3e\u7edf\u4e00\u901a\u4fe1\u89e3\u51b3\u65b9\u6848\u4e2d\u7684\u5ba2\u6237\u5173\u7cfb\u7ba1\u7406\u7ec4\u4ef6\u3002\u8be5\u7ec4\u4ef6\u652f\u6301\u81ea\u52a9\u8bed\u97f3\u670d\u52a1\u3001\u547c\u53eb\u5206\u914d\u548c\u5ba2\u6237\u8bbf\u95ee\u63a7\u5236\u7b49\u529f\u80fd\u3002\n\nCisco Unified Contact Center Express 12.5(1)\u4e4b\u524d\u7248\u672c\u4e2d\u5b58\u5728\u6388\u6743\u95ee\u9898\u6f0f\u6d1e\uff0c\u653b\u51fb\u8005\u53ef\u901a\u8fc7\u4f7f\u7528\u6709\u6548\u7684\u4ee3\u7406\u51ed\u636e\u8fdb\u884c\u8eab\u4efd\u9a8c\u8bc1\uff0c\u5e76\u4f7f\u7528\u7279\u5236\u7684\u8f93\u5165\u6267\u884c\u7279\u5b9a\u7684API\u8c03\u7528\u5229\u7528\u8be5\u6f0f\u6d1e\u66f4\u6539\u4ee3\u7406\u7684\u53ef\u7528\u6027\u72b6\u6001\uff0c\u8fdb\u800c\u5bfc\u81f4\u62d2\u7edd\u670d\u52a1\u3002",
  "formalWay": "\u5382\u5546\u5df2\u53d1\u5e03\u4e86\u6f0f\u6d1e\u4fee\u590d\u7a0b\u5e8f\uff0c\u8bf7\u53ca\u65f6\u5173\u6ce8\u66f4\u65b0\uff1a\r\nhttps://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-uccx-api-auth-WSx4v7sB",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2020-36261",
  "openTime": "2020-07-06",
  "patchDescription": "Cisco Unified Contact Center Express\uff08Unified CCX\uff09\u662f\u7f8e\u56fd\u601d\u79d1\uff08Cisco\uff09\u516c\u53f8\u7684\u4e00\u6b3e\u7edf\u4e00\u901a\u4fe1\u89e3\u51b3\u65b9\u6848\u4e2d\u7684\u5ba2\u6237\u5173\u7cfb\u7ba1\u7406\u7ec4\u4ef6\u3002\u8be5\u7ec4\u4ef6\u652f\u6301\u81ea\u52a9\u8bed\u97f3\u670d\u52a1\u3001\u547c\u53eb\u5206\u914d\u548c\u5ba2\u6237\u8bbf\u95ee\u63a7\u5236\u7b49\u529f\u80fd\u3002\r\n\r\nCisco Unified Contact Center Express 12.5(1)\u4e4b\u524d\u7248\u672c\u4e2d\u5b58\u5728\u6388\u6743\u95ee\u9898\u6f0f\u6d1e\uff0c\u653b\u51fb\u8005\u53ef\u901a\u8fc7\u4f7f\u7528\u6709\u6548\u7684\u4ee3\u7406\u51ed\u636e\u8fdb\u884c\u8eab\u4efd\u9a8c\u8bc1\uff0c\u5e76\u4f7f\u7528\u7279\u5236\u7684\u8f93\u5165\u6267\u884c\u7279\u5b9a\u7684API\u8c03\u7528\u5229\u7528\u8be5\u6f0f\u6d1e\u66f4\u6539\u4ee3\u7406\u7684\u53ef\u7528\u6027\u72b6\u6001\uff0c\u8fdb\u800c\u5bfc\u81f4\u62d2\u7edd\u670d\u52a1\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "Cisco Unified Contact Center Express\u6388\u6743\u95ee\u9898\u6f0f\u6d1e\u7684\u8865\u4e01",
  "products": {
    "product": "Cisco Cisco Unified Contact Center Express\uff08Unified CCX\uff09 \u003c12.5(1)"
  },
  "referenceLink": "https://nvd.nist.gov/vuln/detail/CVE-2020-3267\r\nhttps://www.auscert.org.au/bulletins/ESB-2020.1958/",
  "serverity": "\u4e2d",
  "submitTime": "2020-06-04",
  "title": "Cisco Unified Contact Center Express\u6388\u6743\u95ee\u9898\u6f0f\u6d1e"
}

CVE-2020-3267 (GCVE-0-2020-3267)

Vulnerability from cvelistv5

Published

2020-06-03 17:56

Modified

2024-11-15 17:10

Severity ?

5.4 (Medium) - CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L

CWE

CWE-285

Summary

A vulnerability in the API subsystem of Cisco Unified Contact Center Express (Unified CCX) could allow an authenticated, remote attacker to change the availability state of any agent. The vulnerability is due to insufficient authorization enforcement on an affected system. An attacker could exploit this vulnerability by authenticating to an affected system with valid agent credentials and performing a specific API call with crafted input. A successful exploit could allow the attacker to change the availability state of an agent, potentially causing a denial of service condition.

References

▼	URL	Tags
	https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-uccx-api-auth-WSx4v7sB	vendor-advisory, x_refsource_CISCO

Impacted products

	Vendor	Product	Version
	Cisco	Cisco Unified Contact Center Express	Version: n/a

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-04T07:30:57.603Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "name": "20200603 Cisco Unified Contact Center Express Improper API Authorization Vulnerability",
            "tags": [
              "vendor-advisory",
              "x_refsource_CISCO",
              "x_transferred"
            ],
            "url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-uccx-api-auth-WSx4v7sB"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2020-3267",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-11-15T16:27:50.378472Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-11-15T17:10:52.127Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Cisco Unified Contact Center Express",
          "vendor": "Cisco",
          "versions": [
            {
              "status": "affected",
              "version": "n/a"
            }
          ]
        }
      ],
      "datePublic": "2020-06-03T00:00:00",
      "descriptions": [
        {
          "lang": "en",
          "value": "A vulnerability in the API subsystem of Cisco Unified Contact Center Express (Unified CCX) could allow an authenticated, remote attacker to change the availability state of any agent. The vulnerability is due to insufficient authorization enforcement on an affected system. An attacker could exploit this vulnerability by authenticating to an affected system with valid agent credentials and performing a specific API call with crafted input. A successful exploit could allow the attacker to change the availability state of an agent, potentially causing a denial of service condition."
        }
      ],
      "exploits": [
        {
          "lang": "en",
          "value": "The Cisco Product Security Incident Response Team (PSIRT) is not aware of any public announcements or malicious use of the vulnerability that is described in this advisory."
        }
      ],
      "metrics": [
        {
          "cvssV3_0": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "LOW",
            "baseScore": 5.4,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "NONE",
            "integrityImpact": "LOW",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L",
            "version": "3.0"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-285",
              "description": "CWE-285",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2020-06-03T17:56:18",
        "orgId": "d1c1063e-7a18-46af-9102-31f8928bc633",
        "shortName": "cisco"
      },
      "references": [
        {
          "name": "20200603 Cisco Unified Contact Center Express Improper API Authorization Vulnerability",
          "tags": [
            "vendor-advisory",
            "x_refsource_CISCO"
          ],
          "url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-uccx-api-auth-WSx4v7sB"
        }
      ],
      "source": {
        "advisory": "cisco-sa-uccx-api-auth-WSx4v7sB",
        "defect": [
          [
            "CSCvr12303"
          ]
        ],
        "discovery": "INTERNAL"
      },
      "title": "Cisco Unified Contact Center Express Improper API Authorization Vulnerability",
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "psirt@cisco.com",
          "DATE_PUBLIC": "2020-06-03T16:00:00",
          "ID": "CVE-2020-3267",
          "STATE": "PUBLIC",
          "TITLE": "Cisco Unified Contact Center Express Improper API Authorization Vulnerability"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "Cisco Unified Contact Center Express",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "n/a"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "Cisco"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "A vulnerability in the API subsystem of Cisco Unified Contact Center Express (Unified CCX) could allow an authenticated, remote attacker to change the availability state of any agent. The vulnerability is due to insufficient authorization enforcement on an affected system. An attacker could exploit this vulnerability by authenticating to an affected system with valid agent credentials and performing a specific API call with crafted input. A successful exploit could allow the attacker to change the availability state of an agent, potentially causing a denial of service condition."
            }
          ]
        },
        "exploit": [
          {
            "lang": "en",
            "value": "The Cisco Product Security Incident Response Team (PSIRT) is not aware of any public announcements or malicious use of the vulnerability that is described in this advisory."
          }
        ],
        "impact": {
          "cvss": {
            "baseScore": "5.4",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L",
            "version": "3.0"
          }
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "CWE-285"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "20200603 Cisco Unified Contact Center Express Improper API Authorization Vulnerability",
              "refsource": "CISCO",
              "url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-uccx-api-auth-WSx4v7sB"
            }
          ]
        },
        "source": {
          "advisory": "cisco-sa-uccx-api-auth-WSx4v7sB",
          "defect": [
            [
              "CSCvr12303"
            ]
          ],
          "discovery": "INTERNAL"
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "d1c1063e-7a18-46af-9102-31f8928bc633",
    "assignerShortName": "cisco",
    "cveId": "CVE-2020-3267",
    "datePublished": "2020-06-03T17:56:18.231829Z",
    "dateReserved": "2019-12-12T00:00:00",
    "dateUpdated": "2024-11-15T17:10:52.127Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
Confirmed: The vulnerability is confirmed from an analyst perspective.
Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
Patched: This vulnerability was successfully patched by the user reporting the sighting.
Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
Not confirmed: The user expresses doubt about the veracity of the vulnerability.
Not patched: This vulnerability was not successfully patched by the user reporting the sighting.

Action not permitted