6.5

CVE-2019-13021

Exploit

EPSS 0.17%
Veröffentlicht 14.05.2020 17:15:11
Zuletzt bearbeitet 21.11.2024 04:24:02
Quelle cve@mitre.org
CVE-Watchlists
Login
Unerledigt
Login

The administrative passwords for all versions of Bond JetSelect are stored within an unprotected file on the filesystem, rather than encrypted within the MySQL database. This backup copy of the passwords is made as part of the installation script, after the administrator has generated a password using ENCtool.jar (see CVE-2019-13022). This allows any low-privilege user who can read this file to trivially obtain the passwords for the administrative accounts of the JetSelect application. The path to the file containing the encoded password hash is /opt/JetSelect/SFC/resources/sfc-general-properties.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 1 Referenzen 4

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Jetstream ≫ Jetselect

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.17%	0.381

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	6.5	2.8	3.6	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
nvd@nist.gov	4	8	2.9	AV:N/AC:L/Au:S/C:P/I:N/A:N

CWE-312 Cleartext Storage of Sensitive Information

The product stores sensitive information in cleartext within a resource that might be accessible to another control sphere.

https://labs.nettitude.com/blog/cve-2019-13021-22-23-jetselect-network-segregation-application/

Third Party Advisory

Exploit

https://nvd.nist.gov/vuln/detail/CVE-2019-13021

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2019-13021

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2019-13021

EUVD