CVE-2016-2364

{"id": "CVE-2016-2364", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 5.0, "accessVector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "authentication": "NONE", "integrityImpact": "NONE", "accessComplexity": "LOW", "availabilityImpact": "NONE", "confidentialityImpact": "PARTIAL"}, "acInsufInfo": false, "impactScore": 2.9, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 10.0, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV30": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.0", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 3.6, "exploitabilityScore": 3.9}]}, "published": "2016-06-20T01:59:05.820", "references": [{"url": "http://www.kb.cert.org/vuls/id/754056", "tags": ["Third Party Advisory", "US Government Resource"], "source": "cret@cert.org"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-310"}, {"lang": "en", "value": "NVD-CWE-Other"}]}], "descriptions": [{"lang": "en", "value": "The Chrome HUDweb plugin before 2016-05-05 for Fonality (previously trixbox Pro) 12.6 through 14.1i uses the same hardcoded private key across different customers' installations, which allows remote attackers to defeat cryptographic protection mechanisms by leveraging knowledge of this key from another installation."}, {"lang": "es", "value": "El plugin Chrome HUDweb en versiones anteriores a 2016-05-05 para Fonality (anteriormente trixbox Pro) 12.6 hasta la versi\u00f3n 14.1i utiliza la misma clave privada embebida para instalaciones de diferentes clientes, lo que permite a atacantes remotos vencer los mecanismos de protecci\u00f3n criptogr\u00e1fica aprovechando el conocimiento de esta clave de otra instalaci\u00f3n."}], "lastModified": "2016-06-21T18:25:22.600", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:fonality:hud_web:*:*:*:*:*:fonality:*:*", "vulnerable": true, "matchCriteriaId": "BD35F1F1-F0AA-46F9-B24C-66554B45F7C4", "versionEndIncluding": "1.4.1"}], "operator": "OR"}, {"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:fonality:fonality:12.6:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "29E9F615-9032-40D5-85C1-7585095A4CE0"}, {"criteria": "cpe:2.3:a:fonality:fonality:12.8:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "5E12C4A8-CE71-438B-BA3E-834C0B3B8E45"}, {"criteria": "cpe:2.3:a:fonality:fonality:14.1i:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "422FB29B-AB6B-4742-9331-DAC5F4A91315"}], "operator": "OR"}], "operator": "AND"}], "evaluatorComment": "<a href=\"http://cwe.mitre.org/data/definitions/321.html\">CWE-321: Use of Hard-coded Cryptographic Key</a>", "sourceIdentifier": "cret@cert.org"}