CVE-2022-20929

Summary

A vulnerability in the upgrade signature verification of Cisco Enterprise NFV Infrastructure Software (NFVIS) could allow an unauthenticated, local attacker to provide an unauthentic upgrade file for upload. This vulnerability is due to insufficient cryptographic signature verification of upgrade files. An attacker could exploit this vulnerability by providing an administrator with an unauthentic upgrade file. A successful exploit could allow the attacker to fully compromise the Cisco NFVIS system.

Affected Software

VendorProductVersion RangeStatus
CiscoCisco Enterprise NFV Infrastructure Software3.5.1affected
CiscoCisco Enterprise NFV Infrastructure Software3.5.2affected
CiscoCisco Enterprise NFV Infrastructure Software3.6.1affected
CiscoCisco Enterprise NFV Infrastructure Software3.6.2affected
CiscoCisco Enterprise NFV Infrastructure Software3.6.3affected
CiscoCisco Enterprise NFV Infrastructure Software3.7.1affected
CiscoCisco Enterprise NFV Infrastructure Software3.8.1affected
CiscoCisco Enterprise NFV Infrastructure Software3.9.1affected
CiscoCisco Enterprise NFV Infrastructure Software3.9.2affected
CiscoCisco Enterprise NFV Infrastructure Software3.10.1affected
CiscoCisco Enterprise NFV Infrastructure Software3.10.2affected
CiscoCisco Enterprise NFV Infrastructure Software3.10.3affected
CiscoCisco Enterprise NFV Infrastructure Software3.11.1affected
CiscoCisco Enterprise NFV Infrastructure Software3.11.2affected
CiscoCisco Enterprise NFV Infrastructure Software3.11.3affected
CiscoCisco Enterprise NFV Infrastructure Software3.12.1affected
CiscoCisco Enterprise NFV Infrastructure Software3.12.2affected
CiscoCisco Enterprise NFV Infrastructure Software3.12.3affected
CiscoCisco Enterprise NFV Infrastructure Software3.12.1aaffected
CiscoCisco Enterprise NFV Infrastructure Software3.12.1baffected
CiscoCisco Enterprise NFV Infrastructure Software4.1.1affected
CiscoCisco Enterprise NFV Infrastructure Software4.1.2affected
CiscoCisco Enterprise NFV Infrastructure Software4.2.1affected
CiscoCisco Enterprise NFV Infrastructure Software4.4.2affected
CiscoCisco Enterprise NFV Infrastructure Software4.4.1affected
CiscoCisco Enterprise NFV Infrastructure Software4.5.1affected
CiscoCisco Enterprise NFV Infrastructure Software4.6.1affected
CiscoCisco Enterprise NFV Infrastructure Software4.6.2-FC3affected
CiscoCisco Enterprise NFV Infrastructure Software4.6.2affected
CiscoCisco Enterprise NFV Infrastructure Software4.6.3affected
CiscoCisco Enterprise NFV Infrastructure Software4.7.1affected
CiscoCisco Enterprise NFV Infrastructure Software4.8.1affected
CiscoCisco Enterprise NFV Infrastructure Software4.9.1affected

Weaknesses

  • CWE-347: Improper Verification of Cryptographic Signature

ADP Enrichment

CVE Program Container

Additional References

References