CVE-2016-5797 - OpenCVE

Tollgrade LightHouse SMS before 5.1 patch 3 provides different error messages for failed authentication attempts depending on whether the username exists, which allows remote attackers to enumerate account names via a series of attempts.

No CVSS v3.1

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction None

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact None

Availability Impact None

AV:N/AC:L/Au:N/C:P/I:N/A:N

Vendors & Products
CPE Configurations

Vendors	Products
Tollgrade	Lighthouse Sms

Configuration 1 [-]

cpe:2.3:a:tollgrade:lighthouse_sms:*:*:*:*:*:*:*:*

References

Link	Resource
http://www.securityfocus.com/bid/91728
https://ics-cert.us-cert.gov/advisories/ICSA-16-194-01	Third Party Advisory US Government Resource

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: icscert

Published: 2016-07-15T16:00:00

Updated: 2016-11-25T19:57:01

Reserved: 2016-06-23T00:00:00

Link: CVE-2016-5797

JSON object: View

NVD Information

Status : Modified

Published: 2016-07-15T16:59:13.393

Modified: 2016-11-28T20:29:32.127

Link: CVE-2016-5797

JSON object: View

Redhat Information

No data.

CWE

CWE-200

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:tollgrade:lighthouse_sms:*:*:*:*:*:*:*:*", "matchCriteriaId": "07556768-E56B-43A9-9B4B-53A529608BE4", "versionEndIncluding": "5.1", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "Tollgrade LightHouse SMS before 5.1 patch 3 provides different error messages for failed authentication attempts depending on whether the username exists, which allows remote attackers to enumerate account names via a series of attempts."}, {"lang": "es", "value": "Tollgrade LightHouse SMS en versiones anteriores a 5.1 patch 3 proporciona diferentes mensajes de error para intentos de autenticaci\u00f3n fallidos en funci\u00f3n de si existe el nombre de usuario, lo que permite a atacantes remotos enumerar los nombres de cuenta a trav\u00e9s de una serie de intentos."}], "id": "CVE-2016-5797", "lastModified": "2016-11-28T20:29:32.127", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 5.0, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.0"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2016-07-15T16:59:13.393", "references": [{"source": "ics-cert@hq.dhs.gov", "url": "http://www.securityfocus.com/bid/91728"}, {"source": "ics-cert@hq.dhs.gov", "tags": ["Third Party Advisory", "US Government Resource"], "url": "https://ics-cert.us-cert.gov/advisories/ICSA-16-194-01"}], "sourceIdentifier": "ics-cert@hq.dhs.gov", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-200"}], "source": "nvd@nist.gov", "type": "Primary"}]}