Denial of Service Vulnerability in Cisco Unified Communications Manager IM & Presence Service
CVE-2023-20108

7.5HIGH

Key Information:

Vendor: Cisco
Status: Cisco Unified Communications Manager IM and Presence Service
Vendor: CVE Published:; 28 June 2023

Summary

A vulnerability exists in the XCP Authentication Service of the Cisco Unified Communications Manager IM & Presence Service, potentially allowing an unauthenticated remote attacker to disrupt service for all users attempting to authenticate. This vulnerability stems from improper validation of user-supplied input. By sending a specially crafted login message, an attacker can trigger an unexpected restart of the authentication service, which leads to a denial of service condition for new users trying to access the system. However, users who were already authenticated prior to the attack are not affected.

Affected Version(s)

Cisco Unified Communications Manager IM and Presence Service 10.5(1)

Cisco Unified Communications Manager IM and Presence Service 10.5(2)

Cisco Unified Communications Manager IM and Presence Service 10.5(2a)

References

https://sec.cloudapps.cisco.com/security/center/content/C...

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Jun 28, 2023
Vulnerability Reserved
Oct 27, 2022