CVE-2020-26515

An insufficiently protected credentials issue was discovered in Intland codeBeamer ALM 10.x through 10.1.SP4. The remember-me cookie (CB_LOGIN) issued by the application contains the encrypted user's credentials. However, due to a bug in the application code, those credentials are encrypted using a NULL encryption key.
Configurations

Configuration 1 (hide)

OR cpe:2.3:a:intland:codebeamer:*:*:*:*:*:*:*:*
cpe:2.3:a:intland:codebeamer:10.1.0:-:*:*:*:*:*:*
cpe:2.3:a:intland:codebeamer:10.1.0:sp1:*:*:*:*:*:*
cpe:2.3:a:intland:codebeamer:10.1.0:sp2:*:*:*:*:*:*
cpe:2.3:a:intland:codebeamer:10.1.0:sp3:*:*:*:*:*:*
cpe:2.3:a:intland:codebeamer:10.1.0:sp4:*:*:*:*:*:*

History

18 Oct 2023, 19:04

Type Values Removed Values Added
First Time Intland codebeamer
CPE cpe:2.3:a:intland:codebeamer_application_lifecycle_management:*:*:*:*:*:*:*:*
cpe:2.3:a:intland:codebeamer_application_lifecycle_management:10.1.0:sp2:*:*:*:*:*:*
cpe:2.3:a:intland:codebeamer_application_lifecycle_management:10.1.0:sp1:*:*:*:*:*:*
cpe:2.3:a:intland:codebeamer_application_lifecycle_management:10.1.0:sp3:*:*:*:*:*:*
cpe:2.3:a:intland:codebeamer_application_lifecycle_management:10.1.0:-:*:*:*:*:*:*
cpe:2.3:a:intland:codebeamer_application_lifecycle_management:10.1.0:sp4:*:*:*:*:*:*
cpe:2.3:a:intland:codebeamer:10.1.0:sp4:*:*:*:*:*:*
cpe:2.3:a:intland:codebeamer:10.1.0:sp2:*:*:*:*:*:*
cpe:2.3:a:intland:codebeamer:10.1.0:-:*:*:*:*:*:*
cpe:2.3:a:intland:codebeamer:*:*:*:*:*:*:*:*
cpe:2.3:a:intland:codebeamer:10.1.0:sp3:*:*:*:*:*:*
cpe:2.3:a:intland:codebeamer:10.1.0:sp1:*:*:*:*:*:*

12 Jul 2022, 17:42

Type Values Removed Values Added
CWE CWE-327

16 Jun 2021, 16:41

Type Values Removed Values Added
CWE CWE-522
CVSS v2 : unknown
v3 : unknown
v2 : 5.0
v3 : 7.5
References (MISC) https://intland.com/codebeamer/application-lifecycle-management/ - (MISC) https://intland.com/codebeamer/application-lifecycle-management/ - Product, Vendor Advisory
References (MISC) https://www.compass-security.com/fileadmin/Research/Advisories/2021-09_CSNC-2020-010-codebeamer_ALM_Insecure-RememberMe.txt - (MISC) https://www.compass-security.com/fileadmin/Research/Advisories/2021-09_CSNC-2020-010-codebeamer_ALM_Insecure-RememberMe.txt - Exploit, Third Party Advisory
CPE cpe:2.3:a:intland:codebeamer_application_lifecycle_management:10.1.0:sp1:*:*:*:*:*:*
cpe:2.3:a:intland:codebeamer_application_lifecycle_management:*:*:*:*:*:*:*:*
cpe:2.3:a:intland:codebeamer_application_lifecycle_management:10.1.0:sp3:*:*:*:*:*:*
cpe:2.3:a:intland:codebeamer_application_lifecycle_management:10.1.0:-:*:*:*:*:*:*
cpe:2.3:a:intland:codebeamer_application_lifecycle_management:10.1.0:sp2:*:*:*:*:*:*
cpe:2.3:a:intland:codebeamer_application_lifecycle_management:10.1.0:sp4:*:*:*:*:*:*

08 Jun 2021, 13:53

Type Values Removed Values Added
New CVE

Information

Published : 2021-06-08 13:15

Updated : 2023-12-10 13:55


NVD link : CVE-2020-26515

Mitre link : CVE-2020-26515

CVE.ORG link : CVE-2020-26515


JSON object : View

Products Affected

intland

  • codebeamer
CWE
CWE-327

Use of a Broken or Risky Cryptographic Algorithm

CWE-522

Insufficiently Protected Credentials