CVE-2019-19696

A RootCA vulnerability found in Trend Micro Password Manager for Windows and macOS exists where the localhost.key of RootCA.crt might be improperly accessed by an unauthorized party and could be used to create malicious self-signed SSL certificates, allowing an attacker to misdirect a user to phishing sites.

CVSS v3 5.5 MEDIUM
CVSS v2.0 2.1 LOW

5.5^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 1.8 / Impact : 3.6

Attack Vector LOCAL

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

2.1^/10

CVSS v2.0 : LOW

Vector : AV:L/AC:L/Au:N/C:P/I:N/A:N

Exploitability : 3.9 / Impact : 2.9

Access Vector LOCAL

Access Complexity LOW

Authentication NONE

Confidentiality Impact PARTIAL

Integrity Impact NONE

Availability Impact NONE

References

Link	Resource
https://esupport.trendmicro.com/en-us/home/pages/technical-support/1124092.aspx	Vendor Advisory
https://esupport.trendmicro.com/support/pwm/solution/ja-jp/1124091.aspx	Vendor Advisory
https://jvn.jp/en/jp/JVN37183636/index.html	Third Party Advisory
https://jvn.jp/jp/JVN37183636/index.html	Third Party Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:trendmicro:password_manager::::::windows::*
	cpe:2.3:a:trendmicro:password_manager::::::macos::*

History

No history.

Information

Published : 2020-01-18 00:15

Updated : 2023-12-10 13:13

NVD link : CVE-2019-19696

Mitre link : CVE-2019-19696

CVE.ORG link : CVE-2019-19696

JSON object : View

Products Affected

trendmicro

password_manager

CWE

CWE-522

Insufficiently Protected Credentials

{"id": "CVE-2019-19696", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 2.1, "accessVector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N", "authentication": "NONE", "integrityImpact": "NONE", "accessComplexity": "LOW", "availabilityImpact": "NONE", "confidentialityImpact": "PARTIAL"}, "acInsufInfo": false, "impactScore": 2.9, "baseSeverity": "LOW", "obtainAllPrivilege": false, "exploitabilityScore": 3.9, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.5, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 3.6, "exploitabilityScore": 1.8}]}, "published": "2020-01-18T00:15:12.093", "references": [{"url": "https://esupport.trendmicro.com/en-us/home/pages/technical-support/1124092.aspx", "tags": ["Vendor Advisory"], "source": "security@trendmicro.com"}, {"url": "https://esupport.trendmicro.com/support/pwm/solution/ja-jp/1124091.aspx", "tags": ["Vendor Advisory"], "source": "security@trendmicro.com"}, {"url": "https://jvn.jp/en/jp/JVN37183636/index.html", "tags": ["Third Party Advisory"], "source": "security@trendmicro.com"}, {"url": "https://jvn.jp/jp/JVN37183636/index.html", "tags": ["Third Party Advisory"], "source": "security@trendmicro.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-522"}]}], "descriptions": [{"lang": "en", "value": "A RootCA vulnerability found in Trend Micro Password Manager for Windows and macOS exists where the localhost.key of RootCA.crt might be improperly accessed by an unauthorized party and could be used to create malicious self-signed SSL certificates, allowing an attacker to misdirect a user to phishing sites."}, {"lang": "es", "value": "Se presenta una vulnerabilidad de RootCA en Trend Micro Password Manager para Windows y macOS, en donde una parte no autorizada puede acceder inapropiadamente a localhost.key de RootCA.crt y podr\u00eda ser usado para crear certificados SSL maliciosos autofirmados, permitiendo a un atacante desviar un usuario hacia sitios de phishing."}], "lastModified": "2021-07-21T11:39:23.747", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:trendmicro:password_manager:*:*:*:*:*:windows:*:*", "vulnerable": true, "matchCriteriaId": "10786063-E760-469D-9B79-8F8650FC9815", "versionEndIncluding": "5.0.0.1076", "versionStartIncluding": "5.0"}, {"criteria": "cpe:2.3:a:trendmicro:password_manager:*:*:*:*:*:macos:*:*", "vulnerable": true, "matchCriteriaId": "FD555EA5-28B1-4247-A5D3-1D5A139CE079", "versionEndIncluding": "5.0.1047", "versionStartIncluding": "5.0"}], "operator": "OR"}]}], "sourceIdentifier": "security@trendmicro.com"}