CVE-2020-7196 - OpenCVE

The HPE BlueData EPIC Software Platform version 4.0 and HPE Ezmeral Container Platform 5.0 use an insecure method of handling sensitive Kerberos passwords that is susceptible to unauthorized interception and/or retrieval. Specifically, they display the kdc_admin_password in the source file of the url "/bdswebui/assignusers/".

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication Single

Confidentiality Impact Partial

Integrity Impact None

Availability Impact None

AV:N/AC:L/Au:S/C:P/I:N/A:N

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Hp	Bluedata Epic Ezmeral Container Platform

Configuration 1 [-]

OR	cpe:2.3:a:hp:bluedata_epic::::::::
	cpe:2.3:a:hp:ezmeral_container_platform:5.0:::::::*

No data.

References

Link	Providers
https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbgn04049en_us

History

No history.

MITRE

Status: PUBLISHED

Assigner: hpe

Published: 2020-10-26T15:05:48

Updated: 2024-08-04T09:25:47.990Z

Reserved: 2020-01-16T00:00:00

Link: CVE-2020-7196

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2020-10-26T16:15:14.097

Modified: 2021-07-21T11:39:23.747

Link: CVE-2020-7196

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "BlueData EPIC Software; HPE Ezmeral Container Platform", "vendor": "n/a", "versions": [{"status": "affected", "version": "4.0 and earlier"}, {"status": "affected", "version": "5.0"}]}], "descriptions": [{"lang": "en", "value": "The HPE BlueData EPIC Software Platform version 4.0 and HPE Ezmeral Container Platform 5.0 use an insecure method of handling sensitive Kerberos passwords that is susceptible to unauthorized interception and/or retrieval. Specifically, they display the kdc_admin_password in the source file of the url \"/bdswebui/assignusers/\"."}], "problemTypes": [{"descriptions": [{"description": "remote disclosure of privileged information", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2020-10-26T15:05:48", "orgId": "eb103674-0d28-4225-80f8-39fb86215de0", "shortName": "hpe"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbgn04049en_us"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security-alert@hpe.com", "ID": "CVE-2020-7196", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "BlueData EPIC Software; HPE Ezmeral Container Platform", "version": {"version_data": [{"version_value": "4.0 and earlier"}, {"version_value": "5.0"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "The HPE BlueData EPIC Software Platform version 4.0 and HPE Ezmeral Container Platform 5.0 use an insecure method of handling sensitive Kerberos passwords that is susceptible to unauthorized interception and/or retrieval. Specifically, they display the kdc_admin_password in the source file of the url \"/bdswebui/assignusers/\"."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "remote disclosure of privileged information"}]}]}, "references": {"reference_data": [{"name": "https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbgn04049en_us", "refsource": "MISC", "url": "https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbgn04049en_us"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T09:25:47.990Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbgn04049en_us"}]}]}, "cveMetadata": {"assignerOrgId": "eb103674-0d28-4225-80f8-39fb86215de0", "assignerShortName": "hpe", "cveId": "CVE-2020-7196", "datePublished": "2020-10-26T15:05:48", "dateReserved": "2020-01-16T00:00:00", "dateUpdated": "2024-08-04T09:25:47.990Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:hp:bluedata_epic:*:*:*:*:*:*:*:*", "matchCriteriaId": "D0AA40C4-D6C8-4072-AB92-31036E820F90", "versionEndIncluding": "4.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:hp:ezmeral_container_platform:5.0:*:*:*:*:*:*:*", "matchCriteriaId": "F751C3FE-7A93-41B8-A894-F38F44C8D816", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "The HPE BlueData EPIC Software Platform version 4.0 and HPE Ezmeral Container Platform 5.0 use an insecure method of handling sensitive Kerberos passwords that is susceptible to unauthorized interception and/or retrieval. Specifically, they display the kdc_admin_password in the source file of the url \"/bdswebui/assignusers/\"."}, {"lang": "es", "value": "HPE BlueData EPIC Software Platform versi\u00f3n 4.0 y HPE Ezmeral Container Platform versi\u00f3n 5.0, usan un m\u00e9todo no seguro para manejar contrase\u00f1as de Kerberos confidenciales que es susceptible de interceptaci\u00f3n y/o recuperaci\u00f3n no autorizada. Espec\u00edficamente, muestran la funci\u00f3n kdc_admin_password en el archivo fuente de la URL \"/bdswebui/ assignusers/\""}], "id": "CVE-2020-7196", "lastModified": "2021-07-21T11:39:23.747", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "NONE", "baseScore": 4.0, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 8.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2020-10-26T16:15:14.097", "references": [{"source": "security-alert@hpe.com", "tags": ["Vendor Advisory"], "url": "https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbgn04049en_us"}], "sourceIdentifier": "security-alert@hpe.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-200"}, {"lang": "en", "value": "CWE-522"}], "source": "nvd@nist.gov", "type": "Primary"}]}