CVE-2015-0922

Sažetak

McAfee ePolicy Orchestrator (ePO) before 4.6.9 and 5.x before 5.1.2 uses the same secret key across different customers' installations, which allows attackers to obtain the administrator password by leveraging knowledge of the encrypted password.

Reference

http://packetstormsecurity.com/files/129827/McAfee-ePolicy-Orchestrator-Authenticated-XXE-Credential-Exposure.html
http://seclists.org/fulldisclosure/2015/Jan/37
http://seclists.org/fulldisclosure/2015/Jan/8
http://www.securityfocus.com/bid/72298
http://www.securitytracker.com/id/1031519
https://exchange.xforce.ibmcloud.com/vulnerabilities/99949
https://gist.github.com/brandonprry/692e553975bf29aeaf2c
https://kc.mcafee.com/corporate/index?page=content&id=SB10095

CVSS

Base:	5.0
Impact:	2.9
Exploitability:	10.0

Pristup

Vektor	Složenost	Autentikacija
NETWORK	LOW	NONE

Impact

Povjerljivost	Cjelovitost	Dostupnost
PARTIAL	NONE	NONE

CVSS vektor

AV:N/AC:L/Au:N/C:P/I:N/A:N

Zadnje važnije ažuriranje

08-09-2017 - 01:29

Objavljeno

09-01-2015 - 18:59