CVE-2024-6833 - Vulnerability Details - OpenCVE

Description

A vulnerability in Zowe CLI allows local, privileged actors to store previously entered secure credentials in a plaintext file as part of an auto-init operation.

Published: 2024-07-17

Score: 5.9 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

No analysis available yet.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Open Mainframe Project

Zowe

affected

Version	Status	Constraints
`7.18.0`	affected	< 7.23.5

No data.

No data.

No data available yet.

Remediation

Vendor Solution

This issue is fixed in Zowe CLI 7.23.5 or later, included as part of Zowe 2.16.0 or later.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
EUVD	EUVD-2024-2350	A vulnerability in Zowe CLI allows local, privileged actors to store previously entered secure credentials in a plaintext file as part of an auto-init operation.
Github GHSA	GHSA-ghgq-x6wc-6jr5	Zowe CLI allows storage of previously entered secure credentials in a plaintext file

No CVSS v4.0

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Changed

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00027.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://github.com/zowe/zowe-cli/

History

No history.

Subscriptions

No data.

MITRE

Status: PUBLISHED

Assigner: Zowe

Published: 2024-07-17T14:41:37.598Z

Updated: 2024-08-01T21:45:38.354Z

Reserved: 2024-07-17T14:41:37.247Z

Link: CVE-2024-6833

Vulnrichment

Updated: 2024-08-01T21:45:38.354Z

NVD

Status : Deferred

Published: 2024-07-17T15:15:14.783

Modified: 2026-04-15T00:35:42.020

Link: CVE-2024-6833

Redhat

No data.

OpenCVE Enrichment

No data.

Weaknesses

No weakness.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-6833", "assignerOrgId": "b1336bef-059d-4e13-b11b-9a6ef21b3c78", "state": "PUBLISHED", "assignerShortName": "Zowe", "dateReserved": "2024-07-17T14:41:37.247Z", "datePublished": "2024-07-17T14:41:37.598Z", "dateUpdated": "2024-08-01T21:45:38.354Z"}, "containers": {"cna": {"title": "Zowe CLI Auto-Init Leaks Credentials Locally", "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-257: Storing Passwords in a Recoverable Format"}]}, {"descriptions": [{"lang": "en", "description": "CWE-313: Cleartext Storage in a File or on Disk"}]}], "affected": [{"vendor": "Open Mainframe Project", "product": "Zowe", "versions": [{"version": "7.18.0", "status": "affected", "lessThan": "7.23.5", "versionType": "semver"}]}], "descriptions": [{"lang": "en", "value": "A vulnerability in Zowe CLI allows local, privileged actors to store previously entered secure credentials in a plaintext file as part of an auto-init operation."}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV3_1": {"baseScore": 5.9, "baseSeverity": "MEDIUM", "version": "3.1", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:N/A:N/E:P/RL:O/RC:C/CR:M/IR:X/AR:X/MAV:L/MAC:L/MPR:L/MUI:R/MS:C/MC:H/MI:N/MA:N"}}], "solutions": [{"lang": "en", "value": "This issue is fixed in Zowe CLI 7.23.5 or later, included as part of Zowe 2.16.0 or later."}], "exploits": [{"lang": "en", "value": "There are no known exploits of this issue."}], "credits": [{"lang": "en", "value": "Broadcom Inc.", "type": "reporter"}], "providerMetadata": {"orgId": "b1336bef-059d-4e13-b11b-9a6ef21b3c78", "shortName": "Zowe", "dateUpdated": "2024-07-17T14:41:37.598Z"}, "references": [{"tags": ["product"], "url": "https://github.com/zowe/zowe-cli/"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-07-17T15:25:46.275201Z", "id": "CVE-2024-6833", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-07-17T15:26:04.582Z"}}, {"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-01T21:45:38.354Z"}, "title": "CVE Program Container", "references": [{"tags": ["product", "x_transferred"], "url": "https://github.com/zowe/zowe-cli/"}]}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://github.com/zowe/zowe-cli/", "tags": ["product", "x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-01T21:45:38.354Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-6833", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-07-17T15:25:46.275201Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-07-17T15:26:00.409Z"}}], "cna": {"title": "Zowe CLI Auto-Init Leaks Credentials Locally", "credits": [{"lang": "en", "type": "reporter", "value": "Broadcom Inc."}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 5.9, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:N/A:N/E:P/RL:O/RC:C/CR:M/IR:X/AR:X/MAV:L/MAC:L/MPR:L/MUI:R/MS:C/MC:H/MI:N/MA:N", "integrityImpact": "NONE", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Open Mainframe Project", "product": "Zowe", "versions": [{"status": "affected", "version": "7.18.0", "lessThan": "7.23.5", "versionType": "semver"}]}], "exploits": [{"lang": "en", "value": "There are no known exploits of this issue."}], "solutions": [{"lang": "en", "value": "This issue is fixed in Zowe CLI 7.23.5 or later, included as part of Zowe 2.16.0 or later."}], "references": [{"url": "https://github.com/zowe/zowe-cli/", "tags": ["product"]}], "descriptions": [{"lang": "en", "value": "A vulnerability in Zowe CLI allows local, privileged actors to store previously entered secure credentials in a plaintext file as part of an auto-init operation."}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-257: Storing Passwords in a Recoverable Format"}]}, {"descriptions": [{"lang": "en", "description": "CWE-313: Cleartext Storage in a File or on Disk"}]}], "providerMetadata": {"orgId": "b1336bef-059d-4e13-b11b-9a6ef21b3c78", "shortName": "Zowe", "dateUpdated": "2024-07-17T14:41:37.598Z"}}}, "cveMetadata": {"cveId": "CVE-2024-6833", "state": "PUBLISHED", "dateUpdated": "2024-08-01T21:45:38.354Z", "dateReserved": "2024-07-17T14:41:37.247Z", "assignerOrgId": "b1336bef-059d-4e13-b11b-9a6ef21b3c78", "datePublished": "2024-07-17T14:41:37.598Z", "assignerShortName": "Zowe"}, "dataVersion": "5.1"}