CVE-2020-7196

The HPE BlueData EPIC Software Platform version 4.0 and HPE Ezmeral Container Platform 5.0 use an insecure method of handling sensitive Kerberos passwords that is susceptible to unauthorized interception and/or retrieval. Specifically, they display the kdc_admin_password in the source file of the url "/bdswebui/assignusers/".

CVSS v3 6.5 MEDIUM
CVSS v2.0 4.0 MEDIUM

6.5^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 2.8 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

4.0^/10

CVSS v2.0 : MEDIUM

Vector : AV:N/AC:L/Au:S/C:P/I:N/A:N

Exploitability : 8.0 / Impact : 2.9

Access Vector NETWORK

Access Complexity LOW

Authentication SINGLE

Confidentiality Impact PARTIAL

Integrity Impact NONE

Availability Impact NONE

References

Link	Resource
https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbgn04049en_us	Vendor Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:hp:bluedata_epic::::::::
	cpe:2.3:a:hp:ezmeral_container_platform:5.0:::::::*

History

No history.

Information

Published : 2020-10-26 16:15

Updated : 2024-02-28 18:08

NVD link : CVE-2020-7196

Mitre link : CVE-2020-7196

CVE.ORG link : CVE-2020-7196

JSON object : View

Products Affected

hp

bluedata_epic
ezmeral_container_platform

CWE

CWE-200

Exposure of Sensitive Information to an Unauthorized Actor

CWE-522

Insufficiently Protected Credentials

{"id": "CVE-2020-7196", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 4.0, "accessVector": "NETWORK", "vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N", "authentication": "SINGLE", "integrityImpact": "NONE", "accessComplexity": "LOW", "availabilityImpact": "NONE", "confidentialityImpact": "PARTIAL"}, "acInsufInfo": false, "impactScore": 2.9, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 8.0, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 3.6, "exploitabilityScore": 2.8}]}, "published": "2020-10-26T16:15:14.097", "references": [{"url": "https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbgn04049en_us", "tags": ["Vendor Advisory"], "source": "security-alert@hpe.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-200"}, {"lang": "en", "value": "CWE-522"}]}], "descriptions": [{"lang": "en", "value": "The HPE BlueData EPIC Software Platform version 4.0 and HPE Ezmeral Container Platform 5.0 use an insecure method of handling sensitive Kerberos passwords that is susceptible to unauthorized interception and/or retrieval. Specifically, they display the kdc_admin_password in the source file of the url \"/bdswebui/assignusers/\"."}, {"lang": "es", "value": "HPE BlueData EPIC Software Platform versi\u00f3n 4.0 y HPE Ezmeral Container Platform versi\u00f3n 5.0, usan un m\u00e9todo no seguro para manejar contrase\u00f1as de Kerberos confidenciales que es susceptible de interceptaci\u00f3n y/o recuperaci\u00f3n no autorizada. Espec\u00edficamente, muestran la funci\u00f3n kdc_admin_password en el archivo fuente de la URL \"/bdswebui/ assignusers/\""}], "lastModified": "2021-07-21T11:39:23.747", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:hp:bluedata_epic:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "D0AA40C4-D6C8-4072-AB92-31036E820F90", "versionEndIncluding": "4.0"}, {"criteria": "cpe:2.3:a:hp:ezmeral_container_platform:5.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "F751C3FE-7A93-41B8-A894-F38F44C8D816"}], "operator": "OR"}]}], "sourceIdentifier": "security-alert@hpe.com"}