CVE-2022-20914

MEDIUM

Cisco Identity Services Engine 2.4.0-2.5.9 - Authenticated Sensitive Information Disclosure via ERS API

Title source: llm

Description

A vulnerability in the External RESTful Services (ERS) API of Cisco Identity Services Engine (ISE) Software could allow an authenticated, remote attacker to obtain sensitive information. This vulnerability is due to excessive verbosity in a specific REST API output. An attacker could exploit this vulnerability by sending a crafted HTTP request to the affected device. A successful exploit could allow the attacker to obtain sensitive information, including administrative credentials for an external authentication server. Note: To successfully exploit this vulnerability, the attacker must have valid ERS administrative credentials.

References (1)

Core 1

Core References

Vendor Advisory vendor-advisory x_refsource_cisco

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ise-pwd-WH64AhQF

Scores

CVSS v3 4.9

EPSS 0.0015

EPSS Percentile 35.8%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-549 CWE-522

Status published

Products (5)

cisco/identity_services_engine 2.6.0 (10 CPE variants)

cisco/identity_services_engine 2.7.0 (8 CPE variants)

cisco/identity_services_engine 3.0.0 (6 CPE variants)

cisco/identity_services_engine 3.1 (2 CPE variants)

cisco/identity_services_engine 2.4.0 - 2.6.0

Published Aug 10, 2022

Tracked Since Feb 18, 2026