CVE-2022-20772

Summary

A vulnerability in Cisco Email Security Appliance (ESA) and Cisco Secure Email and Web Manager could allow an unauthenticated, remote attacker to conduct an HTTP response splitting attack. This vulnerability is due to the failure of the application or its environment to properly sanitize input values. An attacker could exploit this vulnerability by injecting malicious HTTP headers, controlling the response body, or splitting the response into multiple responses.

Affected Software

VendorProductVersion RangeStatus
CiscoCisco Secure Email13.5.1-277affected
CiscoCisco Secure Email14.0.0-698affected
CiscoCisco Secure Email14.2.0-620affected
CiscoCisco Secure Email and Web Manager14.0.0-404affected
CiscoCisco Secure Email and Web Manager14.1.0-223affected
CiscoCisco Secure Email and Web Manager14.1.0-227affected
CiscoCisco Secure Email and Web Manager14.2.0-212affected

Weaknesses

  • CWE-113: Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Response Splitting')

ADP Enrichment

CVE Program Container

Additional References

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References