中危 Cisco Firepower Management Center 跨站脚本漏洞(CVE-2022-20840)
CVE编号
CVE-2022-2084利用情况
暂无补丁情况
官方补丁披露时间
2022-06-29漏洞描述
思科Firepower管理中心(FMC)软件基于Web的管理界面中存在多个漏洞,可能允许经过身份验证的远程攻击者对受影响设备界面的用户进行存储型跨站脚本(XSS)攻击。这些漏洞是由于基于Web的管理界面对用户提供的输入的验证不足。攻击者可以通过将精心设计的输入插入受影响界面的各种数据字段来利用这些漏洞。成功的利用可能允许攻击者在界面上下文中执行任意脚本代码,或访问敏感的、基于浏览器的信息。在某些情况下,还可能对FMC仪表板的某些部分造成临时可用性影响。解决建议
建议您更新当前系统或软件至最新版,完成漏洞的修复。
参考链接 |
|
|---|---|
| https://github.com/canonical/cloud-init/commit/4d467b14363d800b2185b89790d578... | |
| https://ubuntu.com/security/notices/USN-5496-1 |
受影响软件情况
| # | 类型 | 厂商 | 产品 | 版本 | 影响面 | ||||
| 1 | |||||||||
|---|---|---|---|---|---|---|---|---|---|
| 运行在以下环境 | |||||||||
| 应用 | canonical | cloud-init | * | Up to (excluding) 22.3 | |||||
| 运行在以下环境 | |||||||||
| 系统 | alpine_3.16 | cloud-init | * | Up to (excluding) 22.2.2-r0 | |||||
| 运行在以下环境 | |||||||||
| 系统 | alpine_3.17 | cloud-init | * | Up to (excluding) 22.2.2-r0 | |||||
| 运行在以下环境 | |||||||||
| 系统 | alpine_3.18 | cloud-init | * | Up to (excluding) 22.2.2-r0 | |||||
| 运行在以下环境 | |||||||||
| 系统 | alpine_edge | cloud-init | * | Up to (excluding) 22.2.2-r0 | |||||
| 运行在以下环境 | |||||||||
| 系统 | canonical | ubuntu_linux | 18.04 | - | |||||
| 运行在以下环境 | |||||||||
| 系统 | canonical | ubuntu_linux | 20.04 | - | |||||
| 运行在以下环境 | |||||||||
| 系统 | canonical | ubuntu_linux | 21.10 | - | |||||
| 运行在以下环境 | |||||||||
| 系统 | canonical | ubuntu_linux | 22.04 | - | |||||
| 运行在以下环境 | |||||||||
| 系统 | debian_10 | cloud-init | * | Up to (excluding) 20.2-2~deb10u2 | |||||
| 运行在以下环境 | |||||||||
| 系统 | debian_11 | cloud-init | * | Up to (excluding) 20.4.1-2+deb11u1 | |||||
| 运行在以下环境 | |||||||||
| 系统 | debian_12 | cloud-init | * | Up to (excluding) 22.2-2 | |||||
| 运行在以下环境 | |||||||||
| 系统 | debian_sid | cloud-init | * | Up to (excluding) 22.2-2 | |||||
| 运行在以下环境 | |||||||||
| 系统 | kylinos_aarch64_V10 | cloud-init | * | Up to (excluding) 19.4-6.p03.ky10 | |||||
| 运行在以下环境 | |||||||||
| 系统 | kylinos_aarch64_V10SP1 | cloud-init | * | Up to (excluding) 17.1-12.p02.ky10 | |||||
| 运行在以下环境 | |||||||||
| 系统 | kylinos_aarch64_V10SP2 | cloud-init | * | Up to (excluding) 19.4-6.p03.ky10 | |||||
| 运行在以下环境 | |||||||||
| 系统 | kylinos_aarch64_V10SP3 | cloud-init | * | Up to (excluding) 19.4-6.p03.ky10 | |||||
| 运行在以下环境 | |||||||||
| 系统 | kylinos_loongarch64_V10SP1 | cloud-init | * | Up to (excluding) 17.1-12.p02.a.ky10 | |||||
| 运行在以下环境 | |||||||||
| 系统 | kylinos_loongarch64_V10SP3 | cloud-init | * | Up to (excluding) 19.4-6.p02.a.ky10 | |||||
| 运行在以下环境 | |||||||||
| 系统 | kylinos_x86_64_V10 | cloud-init | * | Up to (excluding) 19.4-6.p03.ky10 | |||||
| 运行在以下环境 | |||||||||
| 系统 | kylinos_x86_64_V10SP1 | cloud-init | * | Up to (excluding) 17.1-12.p02.ky10 | |||||
| 运行在以下环境 | |||||||||
| 系统 | kylinos_x86_64_V10SP2 | cloud-init | * | Up to (excluding) 19.4-6.p03.ky10 | |||||
| 运行在以下环境 | |||||||||
| 系统 | kylinos_x86_64_V10SP3 | cloud-init | * | Up to (excluding) 19.4-6.p03.ky10 | |||||
| 运行在以下环境 | |||||||||
| 系统 | opensuse_Leap_15.4 | cloud-init | * | Up to (excluding) 23.1-150100.8.63.5 | |||||
| 运行在以下环境 | |||||||||
| 系统 | opensuse_Leap_15.5 | cloud-init | * | Up to (excluding) 23.1-150100.8.63.5 | |||||
| 运行在以下环境 | |||||||||
| 系统 | ubuntu_18.04 | cloud-init | * | Up to (excluding) 22.2-0ubuntu1~18.04.3 | |||||
| 运行在以下环境 | |||||||||
| 系统 | ubuntu_20.04 | cloud-init | * | Up to (excluding) 22.2-0ubuntu1~20.04.3 | |||||
| 运行在以下环境 | |||||||||
| 系统 | ubuntu_21.10 | cloud-init | * | Up to (excluding) 22.2-0ubuntu1~21.10.3 | |||||
| 运行在以下环境 | |||||||||
| 系统 | ubuntu_22.04 | cloud-init | * | Up to (excluding) 22.2-0ubuntu1~22.04.3 | |||||
| 运行在以下环境 | |||||||||
| 系统 | ubuntu_22.10 | cloud-init | * | Up to (excluding) 22.2-64-g1fcd55d6-0ubuntu1~22.10.1 | |||||
| 运行在以下环境 | |||||||||
| 系统 | unionos_e | cloud-init | * | Up to (excluding) cloud-init-19.4-12.up4.uel20.02 | |||||
- 攻击路径 本地
- 攻击复杂度 困难
- 权限要求 普通权限
- 影响范围 有限影响
- EXP成熟度 未验证
- 补丁情况 官方补丁
- 数据保密性 无影响
- 数据完整性 N/A
- 服务器危害 无影响
- 全网数量 N/A
| CWE-ID | 漏洞类型 |
| CWE-532 | 通过日志文件的信息暴露 |
Exp相关链接
版权声明
本站原创文章转载请注明文章出处及链接,谢谢合作!
评论