CVE-2022-20859

Name of the Vulnerable Software and Affected Versions Cisco Unified Communications Manager versions (affected versions not specified) Cisco Unified Communications Manager IM & Presence Service versions (affected versions not specified) Cisco Unity Connection versions (affected versions not specified)

Description A vulnerability in the Disaster Recovery framework could allow an authenticated, remote attacker to perform certain administrative actions they should not be able to. This issue is due to insufficient access control checks on the affected device. An attacker with read-only privileges could exploit this vulnerability by executing a specific vulnerable command on an affected device. A successful exploit could allow the attacker to perform a set of administrative actions they should not be able to.

Recommendations For Cisco Unified Communications Manager, update to a version that includes the fix for the insufficient access control checks. For Cisco Unified Communications Manager IM & Presence Service, update to a version that includes the fix for the insufficient access control checks. For Cisco Unity Connection, update to a version that includes the fix for the insufficient access control checks. As a temporary workaround, consider restricting access to the Disaster Recovery framework until a patch is available.