CVE-2024-22432

Networker 19.9 and all prior versions contains a Plain-text Password stored in temporary config file during backup duration in NMDA MySQL Database backups. User has low privilege access to Networker Client system could potentially exploit this vulnerability, leading to the disclosure of configured MySQL Database user credentials. The attacker may be able to use the exposed credentials to access the vulnerable application Database with privileges of the compromised account.

CVSS v3 6.5 MEDIUM

6.5^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 2.0 / Impact : 4.0

Attack Vector LOCAL

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope CHANGED

References

Link	Resource
https://www.dell.com/support/kbdoc/en-us/000221474/dsa-2024-059-security-update-for-dell-networker-multiple-components-vulnerabilities	Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:dell:networker:*:*:*:*:*:*:*:*

History

01 Feb 2024, 17:00

Type	Values Removed	Values Added
CPE		cpe:2.3:a:dell:networker::::::::
First Time		Dell Dell networker
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 6.5
CWE		CWE-522
References	~~() https://www.dell.com/support/kbdoc/en-us/000221474/dsa-2024-059-security-update-for-dell-networker-multiple-components-vulnerabilities -~~	() https://www.dell.com/support/kbdoc/en-us/000221474/dsa-2024-059-security-update-for-dell-networker-multiple-components-vulnerabilities - Vendor Advisory

25 Jan 2024, 15:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2024-01-25 15:15

Updated : 2024-02-28 20:54

NVD link : CVE-2024-22432

Mitre link : CVE-2024-22432

CVE.ORG link : CVE-2024-22432

JSON object : View

Products Affected

dell

networker

CWE

CWE-522

Insufficiently Protected Credentials

CWE-256

Plaintext Storage of a Password

{"id": "CVE-2024-22432", "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 4.0, "exploitabilityScore": 2.0}, {"type": "Secondary", "source": "security_alert@emc.com", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 7.8, "attackVector": "LOCAL", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 6.0, "exploitabilityScore": 1.1}]}, "published": "2024-01-25T15:15:07.923", "references": [{"url": "https://www.dell.com/support/kbdoc/en-us/000221474/dsa-2024-059-security-update-for-dell-networker-multiple-components-vulnerabilities", "tags": ["Vendor Advisory"], "source": "security_alert@emc.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-522"}]}, {"type": "Secondary", "source": "security_alert@emc.com", "description": [{"lang": "en", "value": "CWE-256"}]}], "descriptions": [{"lang": "en", "value": "\nNetworker 19.9 and all prior versions contains a Plain-text Password stored in temporary config file during backup duration in NMDA MySQL Database backups. User has low privilege access to Networker Client system could potentially exploit this vulnerability, leading to the disclosure of configured MySQL Database user credentials. The attacker may be able to use the exposed credentials to access the vulnerable application Database with privileges of the compromised account.\n\n"}, {"lang": "es", "value": "Networker 19.9 y todas las versiones anteriores contienen una contrase\u00f1a de texto plano almacenada en un archivo de configuraci\u00f3n temporal durante la duraci\u00f3n de la copia de seguridad en las copias de seguridad de la base de datos NMDA MySQL. El usuario que tiene acceso con privilegios bajos al sistema Networker Client podr\u00eda explotar esta vulnerabilidad, lo que llevar\u00eda a la divulgaci\u00f3n de las credenciales de usuario configuradas de la base de datos MySQL. Es posible que el atacante pueda utilizar las credenciales expuestas para acceder a la base de datos de la aplicaci\u00f3n vulnerable con los privilegios de la cuenta comprometida."}], "lastModified": "2024-02-01T17:00:46.647", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:dell:networker:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "EE2BADD6-F99D-4DDA-BDBE-724D38246526", "versionEndIncluding": "19.9"}], "operator": "OR"}]}], "sourceIdentifier": "security_alert@emc.com"}