CVE-2024-6890

Password reset tokens are generated using an insecure source of randomness. Attackers who know the username of the Journyx installation user can bruteforce the password reset and change the administrator password.
Configurations

Configuration 1 (hide)

cpe:2.3:a:journyx:journyx:11.5.4:*:*:*:*:linux:*:*

History

21 Nov 2024, 09:50

Type Values Removed Values Added
References
  • () http://seclists.org/fulldisclosure/2024/Aug/5 -

08 Aug 2024, 20:53

Type Values Removed Values Added
References () https://korelogic.com/Resources/Advisories/KL-001-2024-007.txt - () https://korelogic.com/Resources/Advisories/KL-001-2024-007.txt - Exploit, Third Party Advisory
CPE cpe:2.3:a:journyx:journyx:11.5.4:*:*:*:*:linux:*:*
CWE CWE-798
First Time Journyx journyx
Journyx
CVSS v2 : unknown
v3 : 9.8
v2 : unknown
v3 : 8.8

08 Aug 2024, 14:35

Type Values Removed Values Added
CVSS v2 : unknown
v3 : unknown
v2 : unknown
v3 : 9.8

08 Aug 2024, 13:04

Type Values Removed Values Added
Summary
  • (es) Los tokens de restablecimiento de contraseña se generan utilizando una fuente aleatoria insegura. Los atacantes que conocen el nombre de usuario del usuario de instalación de Journyx pueden forzar el restablecimiento de contraseña y cambiar la contraseña de administrador.

08 Aug 2024, 00:15

Type Values Removed Values Added
CWE CWE-321
CWE-334
CWE-799

07 Aug 2024, 23:15

Type Values Removed Values Added
New CVE

Information

Published : 2024-08-07 23:15

Updated : 2024-11-21 09:50


NVD link : CVE-2024-6890

Mitre link : CVE-2024-6890

CVE.ORG link : CVE-2024-6890


JSON object : View

Products Affected

journyx

  • journyx
CWE
CWE-321

Use of Hard-coded Cryptographic Key

CWE-334

Small Space of Random Values

CWE-799

Improper Control of Interaction Frequency

CWE-798

Use of Hard-coded Credentials