CVE-2020-7196 - OpenCVE

The HPE BlueData EPIC Software Platform version 4.0 and HPE Ezmeral Container Platform 5.0 use an insecure method of handling sensitive Kerberos passwords that is susceptible to unauthorized interception and/or retrieval. Specifically, they display the kdc_admin_password in the source file of the url "/bdswebui/assignusers/".

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication Single

Confidentiality Impact Partial

Integrity Impact None

Availability Impact None

AV:N/AC:L/Au:S/C:P/I:N/A:N

Vendors & Products
CPE Configurations

Vendors	Products
Hp	Bluedata Epic Ezmeral Container Platform

Configuration 1 [-]

OR	cpe:2.3:a:hp:bluedata_epic::::::::
	cpe:2.3:a:hp:ezmeral_container_platform:5.0:::::::*

References

Link	Resource
https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbgn04049en_us	Vendor Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: hpe

Published: 2020-10-26T15:05:48

Updated: 2020-10-26T15:05:48

Reserved: 2020-01-16T00:00:00

Link: CVE-2020-7196

JSON object: View

NVD Information

Status : Analyzed

Published: 2020-10-26T16:15:14.097

Modified: 2021-07-21T11:39:23.747

Link: CVE-2020-7196

JSON object: View

Redhat Information

No data.

CWE

{"containers": {"cna": {"affected": [{"product": "BlueData EPIC Software; HPE Ezmeral Container Platform", "vendor": "n/a", "versions": [{"status": "affected", "version": "4.0 and earlier"}, {"status": "affected", "version": "5.0"}]}], "descriptions": [{"lang": "en", "value": "The HPE BlueData EPIC Software Platform version 4.0 and HPE Ezmeral Container Platform 5.0 use an insecure method of handling sensitive Kerberos passwords that is susceptible to unauthorized interception and/or retrieval. Specifically, they display the kdc_admin_password in the source file of the url \"/bdswebui/assignusers/\"."}], "problemTypes": [{"descriptions": [{"description": "remote disclosure of privileged information", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2020-10-26T15:05:48", "orgId": "eb103674-0d28-4225-80f8-39fb86215de0", "shortName": "hpe"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbgn04049en_us"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security-alert@hpe.com", "ID": "CVE-2020-7196", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "BlueData EPIC Software; HPE Ezmeral Container Platform", "version": {"version_data": [{"version_value": "4.0 and earlier"}, {"version_value": "5.0"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "The HPE BlueData EPIC Software Platform version 4.0 and HPE Ezmeral Container Platform 5.0 use an insecure method of handling sensitive Kerberos passwords that is susceptible to unauthorized interception and/or retrieval. Specifically, they display the kdc_admin_password in the source file of the url \"/bdswebui/assignusers/\"."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "remote disclosure of privileged information"}]}]}, "references": {"reference_data": [{"name": "https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbgn04049en_us", "refsource": "MISC", "url": "https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbgn04049en_us"}]}}}}, "cveMetadata": {"assignerOrgId": "eb103674-0d28-4225-80f8-39fb86215de0", "assignerShortName": "hpe", "cveId": "CVE-2020-7196", "datePublished": "2020-10-26T15:05:48", "dateReserved": "2020-01-16T00:00:00", "dateUpdated": "2020-10-26T15:05:48", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:hp:bluedata_epic:*:*:*:*:*:*:*:*", "matchCriteriaId": "D0AA40C4-D6C8-4072-AB92-31036E820F90", "versionEndIncluding": "4.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:hp:ezmeral_container_platform:5.0:*:*:*:*:*:*:*", "matchCriteriaId": "F751C3FE-7A93-41B8-A894-F38F44C8D816", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "The HPE BlueData EPIC Software Platform version 4.0 and HPE Ezmeral Container Platform 5.0 use an insecure method of handling sensitive Kerberos passwords that is susceptible to unauthorized interception and/or retrieval. Specifically, they display the kdc_admin_password in the source file of the url \"/bdswebui/assignusers/\"."}, {"lang": "es", "value": "HPE BlueData EPIC Software Platform versi\u00f3n 4.0 y HPE Ezmeral Container Platform versi\u00f3n 5.0, usan un m\u00e9todo no seguro para manejar contrase\u00f1as de Kerberos confidenciales que es susceptible de interceptaci\u00f3n y/o recuperaci\u00f3n no autorizada. Espec\u00edficamente, muestran la funci\u00f3n kdc_admin_password en el archivo fuente de la URL \"/bdswebui/ assignusers/\""}], "id": "CVE-2020-7196", "lastModified": "2021-07-21T11:39:23.747", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "NONE", "baseScore": 4.0, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 8.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2020-10-26T16:15:14.097", "references": [{"source": "security-alert@hpe.com", "tags": ["Vendor Advisory"], "url": "https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbgn04049en_us"}], "sourceIdentifier": "security-alert@hpe.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-200"}, {"lang": "en", "value": "CWE-522"}], "source": "nvd@nist.gov", "type": "Primary"}]}