CVE-2014-1644

The forgotten-password feature in forcepasswd.do in the management GUI in Symantec LiveUpdate Administrator (LUA) 2.x before 2.3.2.110 allows remote attackers to reset arbitrary passwords by providing the e-mail address associated with a user account.

CVSS v2.0 7.5 HIGH

7.5^/10

CVSS v2.0 : HIGH

Vector : AV:N/AC:L/Au:N/C:P/I:P/A:P

Exploitability : 10.0 / Impact : 6.4

Access Vector NETWORK

Access Complexity LOW

Authentication NONE

Confidentiality Impact PARTIAL

Integrity Impact PARTIAL

Availability Impact PARTIAL

References

Link	Resource
http://archives.neohapsis.com/archives/bugtraq/2014-03/0172.html
http://www.securityfocus.com/bid/66399
http://www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=&suid=20140327_00	Patch Vendor Advisory
https://www.sec-consult.com/fxdata/seccons/prod/temedia/advisories_txt/20140328-0_Symantec_LiveUpdate_Administrator_Multiple_vulnerabilities_wo_poc_v10.txt

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:symantec:liveupdate_administrator::::::::
	cpe:2.3:a:symantec:liveupdate_administrator:2.1.0:::::::*
	cpe:2.3:a:symantec:liveupdate_administrator:2.1.2:::::::*
	cpe:2.3:a:symantec:liveupdate_administrator:2.1.3:::::::*
	cpe:2.3:a:symantec:liveupdate_administrator:2.2.1:::::::*
	cpe:2.3:a:symantec:liveupdate_administrator:2.2.2:::::::*
	cpe:2.3:a:symantec:liveupdate_administrator:2.2.2.9:::::::*
	cpe:2.3:a:symantec:liveupdate_administrator:2.3.0:::::::*
	cpe:2.3:a:symantec:liveupdate_administrator:2.3.1:::::::*

History

No history.

Information

Published : 2014-03-29 01:55

Updated : 2024-02-28 12:20

NVD link : CVE-2014-1644

Mitre link : CVE-2014-1644

CVE.ORG link : CVE-2014-1644

JSON object : View

Products Affected

symantec

liveupdate_administrator

CWE

CWE-255

Credentials Management Errors

{"id": "CVE-2014-1644", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 7.5, "accessVector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "authentication": "NONE", "integrityImpact": "PARTIAL", "accessComplexity": "LOW", "availabilityImpact": "PARTIAL", "confidentialityImpact": "PARTIAL"}, "acInsufInfo": false, "impactScore": 6.4, "baseSeverity": "HIGH", "obtainAllPrivilege": false, "exploitabilityScore": 10.0, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}]}, "published": "2014-03-29T01:55:07.093", "references": [{"url": "http://archives.neohapsis.com/archives/bugtraq/2014-03/0172.html", "source": "secure@symantec.com"}, {"url": "http://www.securityfocus.com/bid/66399", "source": "secure@symantec.com"}, {"url": "http://www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=&suid=20140327_00", "tags": ["Patch", "Vendor Advisory"], "source": "secure@symantec.com"}, {"url": "https://www.sec-consult.com/fxdata/seccons/prod/temedia/advisories_txt/20140328-0_Symantec_LiveUpdate_Administrator_Multiple_vulnerabilities_wo_poc_v10.txt", "source": "secure@symantec.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-255"}]}], "descriptions": [{"lang": "en", "value": "The forgotten-password feature in forcepasswd.do in the management GUI in Symantec LiveUpdate Administrator (LUA) 2.x before 2.3.2.110 allows remote attackers to reset arbitrary passwords by providing the e-mail address associated with a user account."}, {"lang": "es", "value": "La funcionalidad forgotten-password en forcepasswd.do en la GUI de gesti\u00f3n en Symantec LiveUpdate Administrator (LUA) 2.x anterior a 2.3.2.110 permite a atacantes remotos restablecer contrase\u00f1as arbitrarias proporcionando la direcci\u00f3n de email asociada con una cuenta de usuario."}], "lastModified": "2014-03-31T16:40:14.277", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:symantec:liveupdate_administrator:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "30E31DE4-79FD-46CB-B4EF-97C71314F6DD", "versionEndIncluding": "2.3.2"}, {"criteria": "cpe:2.3:a:symantec:liveupdate_administrator:2.1.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "6C6436A5-ED76-4A14-B0B7-F34ED9A103B4"}, {"criteria": "cpe:2.3:a:symantec:liveupdate_administrator:2.1.2:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "B411C8E3-5C1E-4C05-85EB-27EDDF1BEEF3"}, {"criteria": "cpe:2.3:a:symantec:liveupdate_administrator:2.1.3:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "C4DA63E2-6474-4DFC-B3D8-74164227385D"}, {"criteria": "cpe:2.3:a:symantec:liveupdate_administrator:2.2.1:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "20DC932C-BD80-43C0-A3F8-DC65F0EE1FFE"}, {"criteria": "cpe:2.3:a:symantec:liveupdate_administrator:2.2.2:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "8C2DE1CE-8A1D-4BEB-86A2-EF5501789A97"}, {"criteria": "cpe:2.3:a:symantec:liveupdate_administrator:2.2.2.9:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "6810DD57-BF79-4F38-81C5-8F2B69577E35"}, {"criteria": "cpe:2.3:a:symantec:liveupdate_administrator:2.3.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "7C05A008-A1A0-4CDE-B235-785316EE0055"}, {"criteria": "cpe:2.3:a:symantec:liveupdate_administrator:2.3.1:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "5BFF96B5-8BC2-47CA-94CC-CD9144E939AC"}], "operator": "OR"}]}], "sourceIdentifier": "secure@symantec.com"}