CVE-2019-11658 - Vulnerability Details - OpenCVE

Description

Information exposure in Micro Focus Content Manager, versions 9.1, 9.2 and 9.3. This vulnerability when configured to use an Oracle database, allows valid system users to gain access to a limited subset of records they would not normally be able to access when the system is in an undisclosed abnormal state.

Published: 2019-08-29

Score: 4.3 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

No analysis available yet.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Micro Focus

Content Manager

affected

Version	Status	Constraints
`9.1`	affected	—
`9.2`	affected	—
`9.3`	affected	—

Configuration 1 [-]

OR	cpe:2.3:a:microfocus:content_manager:9.1:::::::*
	cpe:2.3:a:microfocus:content_manager:9.2:::::::*
	cpe:2.3:a:microfocus:content_manager:9.3:::::::*

No data.

No data available yet.

Remediation

No remediation available yet.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
EUVD	EUVD-2019-3328	Information exposure in Micro Focus Content Manager, versions 9.1, 9.2 and 9.3. This vulnerability when configured to use an Oracle database, allows valid system users to gain access to a limited subset of records they would not normally be able to access when the system is in an undisclosed abnormal state.

No CVSS v4.0

No CVSS v3.1

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction None

Access Vector Network

Access Complexity Low

Authentication Single

Confidentiality Impact Partial

Integrity Impact None

Availability Impact None

This CVE is not in the KEV list.

The EPSS score is 0.00199.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://softwaresupport.softwaregrp.com/doc/KM03496282

History

No history.

Subscriptions

Microfocus Content Manager

MITRE

Status: PUBLISHED

Assigner: microfocus

Published: 2019-08-29T22:23:51.000Z

Updated: 2024-08-04T23:03:31.556Z

Reserved: 2019-05-01T00:00:00.000Z

Link: CVE-2019-11658

Vulnrichment

No data.

NVD

Status : Modified

Published: 2019-08-30T09:15:17.833

Modified: 2024-11-21T04:21:32.810

Link: CVE-2019-11658

Redhat

No data.

OpenCVE Enrichment

No data.

Weaknesses

CWE-200

{"containers": {"cna": {"affected": [{"product": "Content Manager", "vendor": "Micro Focus", "versions": [{"status": "affected", "version": "9.1"}, {"status": "affected", "version": "9.2"}, {"status": "affected", "version": "9.3"}]}], "descriptions": [{"lang": "en", "value": "Information exposure in Micro Focus Content Manager, versions 9.1, 9.2 and 9.3. This vulnerability when configured to use an Oracle database, allows valid system users to gain access to a limited subset of records they would not normally be able to access when the system is in an undisclosed abnormal state."}], "problemTypes": [{"descriptions": [{"description": "Information exposure", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2021-01-06T16:15:45.000Z", "orgId": "f81092c5-7f14-476d-80dc-24857f90be84", "shortName": "microfocus"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://softwaresupport.softwaregrp.com/doc/KM03496282"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security@microfocus.com", "ID": "CVE-2019-11658", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Content Manager", "version": {"version_data": [{"version_value": "9.1"}, {"version_value": "9.2"}, {"version_value": "9.3"}]}}]}, "vendor_name": "Micro Focus"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Information exposure in Micro Focus Content Manager, versions 9.1, 9.2 and 9.3. This vulnerability when configured to use an Oracle database, allows valid system users to gain access to a limited subset of records they would not normally be able to access when the system is in an undisclosed abnormal state."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "Information exposure"}]}]}, "references": {"reference_data": [{"name": "https://softwaresupport.softwaregrp.com/doc/KM03496282", "refsource": "CONFIRM", "url": "https://softwaresupport.softwaregrp.com/doc/KM03496282"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T23:03:31.556Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://softwaresupport.softwaregrp.com/doc/KM03496282"}]}]}, "cveMetadata": {"assignerOrgId": "f81092c5-7f14-476d-80dc-24857f90be84", "assignerShortName": "microfocus", "cveId": "CVE-2019-11658", "datePublished": "2019-08-29T22:23:51.000Z", "dateReserved": "2019-05-01T00:00:00.000Z", "dateUpdated": "2024-08-04T23:03:31.556Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:microfocus:content_manager:9.1:*:*:*:*:*:*:*", "matchCriteriaId": "3BB65A0F-8122-478A-B6CC-C294B5058DCA", "vulnerable": true}, {"criteria": "cpe:2.3:a:microfocus:content_manager:9.2:*:*:*:*:*:*:*", "matchCriteriaId": "188A87B3-51E7-4BF9-AA4D-763341837307", "vulnerable": true}, {"criteria": "cpe:2.3:a:microfocus:content_manager:9.3:*:*:*:*:*:*:*", "matchCriteriaId": "C92ABB72-C181-4854-AF8E-07E4BEEC76DD", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "Information exposure in Micro Focus Content Manager, versions 9.1, 9.2 and 9.3. This vulnerability when configured to use an Oracle database, allows valid system users to gain access to a limited subset of records they would not normally be able to access when the system is in an undisclosed abnormal state."}, {"lang": "es", "value": "Una exposici\u00f3n de informaci\u00f3n en Micro Focus Content Manager, versiones 9.1, 9.2 y 9.3. Esta vulnerabilidad cuando esta configurado para utilizar una base de datos de Oracle, permite a usuarios v\u00e1lidos del sistema conseguir acceso a un subconjunto limitado de registros a los que normalmente no son capaces de acceder cuando el sistema se encuentra en un estado anormal no revelado."}], "id": "CVE-2019-11658", "lastModified": "2024-11-21T04:21:32.810", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "NONE", "baseScore": 4.0, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 8.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "version": "3.0"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2019-08-30T09:15:17.833", "references": [{"source": "security@opentext.com", "url": "https://softwaresupport.softwaregrp.com/doc/KM03496282"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://softwaresupport.softwaregrp.com/doc/KM03496282"}], "sourceIdentifier": "security@opentext.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-200"}], "source": "nvd@nist.gov", "type": "Primary"}]}