An issue was discovered in Fujitsu Software Infrastructure Manager (ISM) before 2.8.0.061. The ismsnap component (in this specific case at /var/log/fujitsu/ServerViewSuite/ism/FirmwareManagement/FirmwareManagement.log) allows insecure collection and storage of authorization credentials in cleartext. That occurs when users perform any ISM Firmware Repository Address setup test (Test the Connection), or regularly authorize against an already configured remote firmware repository site, as set up in ISM Firmware Repository Address. A privileged attacker is therefore able to potentially gather the associated ismsnap maintenance data, in the same manner as a trusted party allowed to export ismsnap data from ISM. The preconditions for an ISM installation to be generally vulnerable are that the Download Firmware (Firmware Repository Server) function is enabled and configured, and that the character \ (backslash) is used in a user credential (i.e., user/ID or password) of the remote proxy host / firmware repository server. NOTE: this may overlap CVE-2023-39379.
References
Configurations
History
21 Nov 2024, 08:16
Type | Values Removed | Values Added |
---|---|---|
References | () https://security.ts.fujitsu.com/IndexDownload.asp?SoftwareGuid=a0131919-6d84-43b4-800e-d7f78200a70f - Patch | |
References | () https://security.ts.fujitsu.com/ProductSecurity/content/Fujitsu-PSIRT-ISS-IS-2023-071410-Security-Notice.pdf - Patch, Vendor Advisory | |
CVSS |
v2 : v3 : |
v2 : unknown
v3 : 5.9 |
11 Aug 2023, 17:53
Type | Values Removed | Values Added |
---|---|---|
CWE | CWE-312 | |
CVSS |
v2 : v3 : |
v2 : unknown
v3 : 5.0 |
First Time |
Fujitsu software Infrastructure Manager
Fujitsu |
|
References | (MISC) https://security.ts.fujitsu.com/IndexDownload.asp?SoftwareGuid=a0131919-6d84-43b4-800e-d7f78200a70f - Patch | |
References | (MISC) https://security.ts.fujitsu.com/ProductSecurity/content/Fujitsu-PSIRT-ISS-IS-2023-071410-Security-Notice.pdf - Patch, Vendor Advisory | |
CPE | cpe:2.3:a:fujitsu:software_infrastructure_manager:*:*:*:*:*:*:*:* |
07 Aug 2023, 05:15
Type | Values Removed | Values Added |
---|---|---|
New CVE |
Information
Published : 2023-08-07 05:15
Updated : 2024-11-21 08:16
NVD link : CVE-2023-39903
Mitre link : CVE-2023-39903
CVE.ORG link : CVE-2023-39903
JSON object : View
Products Affected
fujitsu
- software_infrastructure_manager
CWE
CWE-312
Cleartext Storage of Sensitive Information