CVE-2009-2201 - OpenCVE

The screensharing feature in the Admin application in Apple Xsan before 2.2 places a cleartext username and password in a URL within an error dialog, which allows physically proximate attackers to obtain credentials by reading this dialog.

No CVSS v3.1

No CVSS v3.0

Access Vector Local

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact None

Availability Impact None

AV:L/AC:L/Au:N/C:P/I:N/A:N

Vendors & Products
CPE Configurations

Vendors	Products
Apple	Xsan

Configuration 1 [-]

OR	cpe:2.3:a:apple:xsan::::::::
	cpe:2.3:a:apple:xsan:1.0:::::::*
	cpe:2.3:a:apple:xsan:1.2:::::::*
	cpe:2.3:a:apple:xsan:1.3:::::::*

References

Link	Resource
http://lists.apple.com/archives/security-announce/2009/Sep/msg00005.html	Patch Vendor Advisory
http://osvdb.org/58133
http://secunia.com/advisories/36673
http://support.apple.com/kb/HT3797	Patch Vendor Advisory
http://www.securityfocus.com/bid/36385	Patch
http://www.securitytracker.com/id?1022904
http://www.vupen.com/english/advisories/2009/2644	Patch Vendor Advisory
https://exchange.xforce.ibmcloud.com/vulnerabilities/53232

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: mitre

Published: 2009-09-15T22:00:00

Updated: 2017-08-16T14:57:01

Reserved: 2009-06-24T00:00:00

Link: CVE-2009-2201

JSON object: View

NVD Information

Status : Modified

Published: 2009-09-15T22:30:00.203

Modified: 2017-08-17T01:30:41.773

Link: CVE-2009-2201

JSON object: View

Redhat Information

No data.

CWE

CWE-310

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2009-09-14T00:00:00", "descriptions": [{"lang": "en", "value": "The screensharing feature in the Admin application in Apple Xsan before 2.2 places a cleartext username and password in a URL within an error dialog, which allows physically proximate attackers to obtain credentials by reading this dialog."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2017-08-16T14:57:01", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"name": "xsan-admin-information-disclosure(53232)", "tags": ["vdb-entry", "x_refsource_XF"], "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/53232"}, {"name": "36385", "tags": ["vdb-entry", "x_refsource_BID"], "url": "http://www.securityfocus.com/bid/36385"}, {"name": "58133", "tags": ["vdb-entry", "x_refsource_OSVDB"], "url": "http://osvdb.org/58133"}, {"name": "ADV-2009-2644", "tags": ["vdb-entry", "x_refsource_VUPEN"], "url": "http://www.vupen.com/english/advisories/2009/2644"}, {"name": "1022904", "tags": ["vdb-entry", "x_refsource_SECTRACK"], "url": "http://www.securitytracker.com/id?1022904"}, {"tags": ["x_refsource_CONFIRM"], "url": "http://support.apple.com/kb/HT3797"}, {"name": "APPLE-SA-2009-09-14-1", "tags": ["vendor-advisory", "x_refsource_APPLE"], "url": "http://lists.apple.com/archives/security-announce/2009/Sep/msg00005.html"}, {"name": "36673", "tags": ["third-party-advisory", "x_refsource_SECUNIA"], "url": "http://secunia.com/advisories/36673"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2009-2201", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "The screensharing feature in the Admin application in Apple Xsan before 2.2 places a cleartext username and password in a URL within an error dialog, which allows physically proximate attackers to obtain credentials by reading this dialog."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "xsan-admin-information-disclosure(53232)", "refsource": "XF", "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/53232"}, {"name": "36385", "refsource": "BID", "url": "http://www.securityfocus.com/bid/36385"}, {"name": "58133", "refsource": "OSVDB", "url": "http://osvdb.org/58133"}, {"name": "ADV-2009-2644", "refsource": "VUPEN", "url": "http://www.vupen.com/english/advisories/2009/2644"}, {"name": "1022904", "refsource": "SECTRACK", "url": "http://www.securitytracker.com/id?1022904"}, {"name": "http://support.apple.com/kb/HT3797", "refsource": "CONFIRM", "url": "http://support.apple.com/kb/HT3797"}, {"name": "APPLE-SA-2009-09-14-1", "refsource": "APPLE", "url": "http://lists.apple.com/archives/security-announce/2009/Sep/msg00005.html"}, {"name": "36673", "refsource": "SECUNIA", "url": "http://secunia.com/advisories/36673"}]}}}}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2009-2201", "datePublished": "2009-09-15T22:00:00", "dateReserved": "2009-06-24T00:00:00", "dateUpdated": "2017-08-16T14:57:01", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:apple:xsan:*:*:*:*:*:*:*:*", "matchCriteriaId": "089C95C5-26EC-4199-B73C-A3C92BF568F5", "versionEndIncluding": "2.1.1", "vulnerable": true}, {"criteria": "cpe:2.3:a:apple:xsan:1.0:*:*:*:*:*:*:*", "matchCriteriaId": "C5897F93-F78D-42CB-9882-00769B3411D6", "vulnerable": true}, {"criteria": "cpe:2.3:a:apple:xsan:1.2:*:*:*:*:*:*:*", "matchCriteriaId": "539F122F-FBB5-45DE-8CB4-EEE5E35B4548", "vulnerable": true}, {"criteria": "cpe:2.3:a:apple:xsan:1.3:*:*:*:*:*:*:*", "matchCriteriaId": "3AA03C6F-A7AA-4759-AD7B-A6365ACBA801", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "The screensharing feature in the Admin application in Apple Xsan before 2.2 places a cleartext username and password in a URL within an error dialog, which allows physically proximate attackers to obtain credentials by reading this dialog."}, {"lang": "es", "value": "La caracter\u00edstica de pantalla compartida en la aplicaci\u00f3n Admin en Apple Xsan anterior a v2.2, ubica en texto plano el nombre de usuario y la contrase\u00f1a en una URL dentro de un mensaje de error, lo que permite a atacantes que se encuentren cerca f\u00edsicamente, el obtener las credenciales leyendo dicho mensaje."}], "id": "CVE-2009-2201", "lastModified": "2017-08-17T01:30:41.773", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "LOW", "cvssData": {"accessComplexity": "LOW", "accessVector": "LOCAL", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 2.1, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 3.9, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}]}, "published": "2009-09-15T22:30:00.203", "references": [{"source": "cve@mitre.org", "tags": ["Patch", "Vendor Advisory"], "url": "http://lists.apple.com/archives/security-announce/2009/Sep/msg00005.html"}, {"source": "cve@mitre.org", "url": "http://osvdb.org/58133"}, {"source": "cve@mitre.org", "url": "http://secunia.com/advisories/36673"}, {"source": "cve@mitre.org", "tags": ["Patch", "Vendor Advisory"], "url": "http://support.apple.com/kb/HT3797"}, {"source": "cve@mitre.org", "tags": ["Patch"], "url": "http://www.securityfocus.com/bid/36385"}, {"source": "cve@mitre.org", "url": "http://www.securitytracker.com/id?1022904"}, {"source": "cve@mitre.org", "tags": ["Patch", "Vendor Advisory"], "url": "http://www.vupen.com/english/advisories/2009/2644"}, {"source": "cve@mitre.org", "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/53232"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-310"}], "source": "nvd@nist.gov", "type": "Primary"}]}