CVE-2017-14376

EMC AppSync Server prior to 3.5.0.1 contains database accounts with hardcoded passwords that could potentially be exploited by malicious users to compromise the affected system.

CVSS v3 7.8 HIGH
CVSS v2.0 7.2 HIGH

7.8^/10

CVSS v3 : HIGH

Vector : AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Exploitability : 1.8 / Impact : 5.9

Attack Vector LOCAL

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

7.2^/10

CVSS v2.0 : HIGH

Vector : AV:L/AC:L/Au:N/C:C/I:C/A:C

Exploitability : 3.9 / Impact : 10.0

Access Vector LOCAL

Access Complexity LOW

Authentication NONE

Confidentiality Impact COMPLETE

Integrity Impact COMPLETE

Availability Impact COMPLETE

References

Link	Resource
http://seclists.org/fulldisclosure/2017/Oct/68	Mailing List Third Party Advisory
http://www.securityfocus.com/bid/101626	Third Party Advisory VDB Entry

Configurations

Configuration 1 (hide)

cpe:2.3:a:emc:appsync:*:*:*:*:*:*:*:*

History

No history.

Information

Published : 2017-11-01 01:29

Updated : 2023-12-10 12:15

NVD link : CVE-2017-14376

Mitre link : CVE-2017-14376

CVE.ORG link : CVE-2017-14376

JSON object : View

Products Affected

emc

appsync

CWE

CWE-798

Use of Hard-coded Credentials

{"id": "CVE-2017-14376", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 7.2, "accessVector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "authentication": "NONE", "integrityImpact": "COMPLETE", "accessComplexity": "LOW", "availabilityImpact": "COMPLETE", "confidentialityImpact": "COMPLETE"}, "acInsufInfo": false, "impactScore": 10.0, "baseSeverity": "HIGH", "obtainAllPrivilege": false, "exploitabilityScore": 3.9, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV30": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.0", "baseScore": 7.8, "attackVector": "LOCAL", "baseSeverity": "HIGH", "vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 1.8}]}, "published": "2017-11-01T01:29:00.497", "references": [{"url": "http://seclists.org/fulldisclosure/2017/Oct/68", "tags": ["Mailing List", "Third Party Advisory"], "source": "security_alert@emc.com"}, {"url": "http://www.securityfocus.com/bid/101626", "tags": ["Third Party Advisory", "VDB Entry"], "source": "security_alert@emc.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-798"}]}], "descriptions": [{"lang": "en", "value": "EMC AppSync Server prior to 3.5.0.1 contains database accounts with hardcoded passwords that could potentially be exploited by malicious users to compromise the affected system."}, {"lang": "es", "value": "EMC AppSync Server, en versiones anteriores a la 3.5.0.1, contiene cuentas de bases de datos con contrase\u00f1as embebidas, lo que podr\u00eda ser explotado por usuarios maliciosos con el fin de comprometer el sistema afectado."}], "lastModified": "2017-11-22T20:17:56.857", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:emc:appsync:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "527E7EAF-21FB-4804-B948-088CD56DCA4B", "versionEndExcluding": "3.5.0.1"}], "operator": "OR"}]}], "sourceIdentifier": "security_alert@emc.com"}