CVE-2021-23884

Cleartext Transmission of Sensitive Information vulnerability in the ePO Extension of McAfee Content Security Reporter (CSR) prior to 2.8.0 allows an ePO administrator to view the unencrypted password of the McAfee Web Gateway (MWG) or the password of the McAfee Web Gateway Cloud Server (MWGCS) read only user used to retrieve log files for analysis in CSR.

CVSS v3 4.3 MEDIUM
CVSS v2.0 2.7 LOW

4.3^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 0.7 / Impact : 3.6

Attack Vector ADJACENT_NETWORK

Attack Complexity LOW

Privileges Required HIGH

User Interaction REQUIRED

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

2.7^/10

CVSS v2.0 : LOW

Vector : AV:A/AC:L/Au:S/C:P/I:N/A:N

Exploitability : 5.1 / Impact : 2.9

Access Vector ADJACENT_NETWORK

Access Complexity LOW

Authentication SINGLE

Confidentiality Impact PARTIAL

Integrity Impact NONE

Availability Impact NONE

References

Link	Resource
https://kc.mcafee.com/corporate/index?page=content&id=SB10353	Broken Link

Configurations

Configuration 1 (hide)

cpe:2.3:a:mcafee:content_security_reporter:*:*:*:*:*:*:*:*

History

16 Nov 2023, 02:51

Type	Values Removed	Values Added
CWE		CWE-319
References	~~() https://kc.mcafee.com/corporate/index?page=content&id=SB10353 -~~	() https://kc.mcafee.com/corporate/index?page=content&id=SB10353 - Broken Link

07 Nov 2023, 03:30

Type	Values Removed	Values Added
References	~~(CONFIRM) https://kc.mcafee.com/corporate/index?page=content&id=SB10353 - Patch, Vendor Advisory~~	() https://kc.mcafee.com/corporate/index?page=content&id=SB10353 -
CWE	~~CWE-319~~

Information

Published : 2021-04-15 08:15

Updated : 2024-02-28 18:28

NVD link : CVE-2021-23884

Mitre link : CVE-2021-23884

CVE.ORG link : CVE-2021-23884

JSON object : View

Products Affected

mcafee

content_security_reporter

CWE

CWE-319

Cleartext Transmission of Sensitive Information

{"id": "CVE-2021-23884", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 2.7, "accessVector": "ADJACENT_NETWORK", "vectorString": "AV:A/AC:L/Au:S/C:P/I:N/A:N", "authentication": "SINGLE", "integrityImpact": "NONE", "accessComplexity": "LOW", "availabilityImpact": "NONE", "confidentialityImpact": "PARTIAL"}, "acInsufInfo": false, "impactScore": 2.9, "baseSeverity": "LOW", "obtainAllPrivilege": false, "exploitabilityScore": 5.1, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.3, "attackVector": "ADJACENT_NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:H/UI:R/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "HIGH", "confidentialityImpact": "HIGH"}, "impactScore": 3.6, "exploitabilityScore": 0.7}, {"type": "Secondary", "source": "trellixpsirt@trellix.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.3, "attackVector": "ADJACENT_NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:H/UI:R/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "HIGH", "confidentialityImpact": "HIGH"}, "impactScore": 3.6, "exploitabilityScore": 0.7}]}, "published": "2021-04-15T08:15:14.510", "references": [{"url": "https://kc.mcafee.com/corporate/index?page=content&id=SB10353", "tags": ["Broken Link"], "source": "trellixpsirt@trellix.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-319"}]}, {"type": "Secondary", "source": "trellixpsirt@trellix.com", "description": [{"lang": "en", "value": "CWE-319"}]}], "descriptions": [{"lang": "en", "value": "Cleartext Transmission of Sensitive Information vulnerability in the ePO Extension of McAfee Content Security Reporter (CSR) prior to 2.8.0 allows an ePO administrator to view the unencrypted password of the McAfee Web Gateway (MWG) or the password of the McAfee Web Gateway Cloud Server (MWGCS) read only user used to retrieve log files for analysis in CSR."}, {"lang": "es", "value": "Una vulnerabilidad de Transmisi\u00f3n de Texto Sin Cifrar de Informaci\u00f3n Confidencial en la Extensi\u00f3n ePO de McAfee Content Security Reporter (CSR) anterior a versi\u00f3n 2.8.0, permite a un administrador de ePO visualizar la contrase\u00f1a no cifrada de McAfee Web Gateway (MWG) o la contrase\u00f1a del usuario de solo lectura de McAfee Web Gateway Cloud Server (MWGCS) usado para recuperar archivos de registro para su an\u00e1lisis en CSR"}], "lastModified": "2023-11-16T02:51:05.737", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:mcafee:content_security_reporter:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "4D6974CE-A6F8-4A23-B876-BABE9BDF4010", "versionEndExcluding": "2.8.0"}], "operator": "OR"}]}], "sourceIdentifier": "trellixpsirt@trellix.com"}