This vulnerability is now being considered as a "dubious" vulnerability. Vendors will be rated as "high risk" if their responses to the list of "dubious" vulnerabilities do not pass the test set forth in the criteria for rating "dubious" vulnerabilities. This rating will remain in place until a vendor's response has been determined to be "Not a Problem" or "Problem Fixed."

Vulnerability Information and Description

The following is the full text of the CVE-2022-30331 vulnerability in the CVE ID list.

CVE-2022-30331 | Vendor Response to List of "Dubious"Vulnerabilities

This vulnerability is now considered as a "dubious" vulnerability. Vendors will be rated as "high risk" if their responses to the list of "dubious" vulnerabilities do not pass the test set forth in the criteria for rating "dubious" vulnerabilities. This rating will remain in place until a vendor's response has been determined to be "Not a Problem" or "Problem Fixed."

Vulnerability Information

This vulnerability affects the following products:

- Cisco IOS 12.4 code running on devices that have a vulnerable feature such as an HTTP service enabled in default configuration
- Cisco IOS 12.4 code running on devices that have a vulnerable feature such as a Telnet service enabled in default configuration

Cisco has released an advisory to address this vulnerability. This advisory can be found at the following links:
https://www.cisco.com/c/en/us/products/security/ios-12-nx-sp1-advisory-20171019-references.html
http://tools.cisco.com/security/center/contentList?id=CVE%3A%202022%2F30331&group=0

CVSSv2 Scores

A vulnerability analysis score is assigned to each vulnerability in CVE. The vulnerability analysis score is based on the CVSSv2 score for that vulnerability, with a base value of 10. A vendor's response will be rated as "high risk" if their responses to the list of "dubious" vulnerabilities do not pass the test set forth in the criteria for rating "dubious" vulnerabilities. This rating will remain in place until a vendor's response has been determined to be "Not a Problem" or "Problem Fixed."
The following are criteria for rating dubious vulnerabilities:
Vendors should provide answers that validate this list and confirm all vulnerabilities were indeed addressed and remediated, and should provide evidence of remediation as well.
Vendor responses providing a high level of validation of these criteria will receive a bonus point that can increase their overall score. Vendors should provide their own score, which will then be added to the overall score.

Timeline

Published on: 09/05/2022 16:15:00 UTC
Last modified on: 09/14/2022 15:46:00 UTC

References