Vulnerabilites related to versa-networks - versa_analytics
Vulnerability from fkie_nvd
Published
2021-05-26 19:15
Modified
2024-11-21 03:52
Severity ?
Summary
In Versa Analytics, the cron jobs are used for scheduling tasks by executing commands at specific dates and times on the server. If the job is run as the user root, there is a potential privilege escalation vulnerability. In this case, the job runs a script as root that is writable by users who are members of the versa group.
References
| ▶ | URL | Tags | |
|---|---|---|---|
| support@hackerone.com | https://hackerone.com/reports/1168194 | Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://hackerone.com/reports/1168194 | Third Party Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| versa-networks | versa_analytics | - |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:versa-networks:versa_analytics:-:*:*:*:*:*:*:*",
"matchCriteriaId": "1D5BC5CF-B979-4689-BD33-45A8E8D16375",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "In Versa Analytics, the cron jobs are used for scheduling tasks by executing commands at specific dates and times on the server. If the job is run as the user root, there is a potential privilege escalation vulnerability. In this case, the job runs a script as root that is writable by users who are members of the versa group."
},
{
"lang": "es",
"value": "En Versa Analytics, los trabajos cron son utilizados para programar tareas ejecutando comandos en fechas y horas espec\u00edficas en el servidor.\u0026#xa0;Si el trabajo se ejecuta como usuario root, se presenta una potencial vulnerabilidad de escalada de privilegios.\u0026#xa0;En este caso, el trabajo ejecuta un script como root que es escribible por usuarios que son miembros del grupo versa"
}
],
"id": "CVE-2018-16497",
"lastModified": "2024-11-21T03:52:52.250",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "HIGH",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "LOCAL",
"authentication": "NONE",
"availabilityImpact": "COMPLETE",
"baseScore": 7.2,
"confidentialityImpact": "COMPLETE",
"integrityImpact": "COMPLETE",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"version": "2.0"
},
"exploitabilityScore": 3.9,
"impactScore": 10.0,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 1.8,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2021-05-26T19:15:08.643",
"references": [
{
"source": "support@hackerone.com",
"tags": [
"Third Party Advisory"
],
"url": "https://hackerone.com/reports/1168194"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://hackerone.com/reports/1168194"
}
],
"sourceIdentifier": "support@hackerone.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-269"
}
],
"source": "support@hackerone.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-269"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2021-05-26 19:15
Modified
2024-11-21 04:39
Severity ?
Summary
In Versa Director, Versa Analytics and VOS, Passwords are not hashed using an adaptive cryptographic hash function or key derivation function prior to storage. Popular hashing algorithms based on the Merkle-Damgardconstruction (such as MD5 and SHA-1) alone are insufficient in thwarting password cracking. Attackers can generate and use precomputed hashes for all possible password character combinations (commonly referred to as "rainbow tables") relatively quickly. The use of adaptive hashing algorithms such asscryptorbcryptor Key-Derivation Functions (i.e.PBKDF2) to hash passwords make generation of such rainbow tables computationally infeasible.
References
| ▶ | URL | Tags | |
|---|---|---|---|
| support@hackerone.com | https://hackerone.com/reports/1168197 | Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://hackerone.com/reports/1168197 | Third Party Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| versa-networks | versa_analytics | - | |
| versa-networks | versa_director | - | |
| versa-networks | versa_operating_system | - |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:versa-networks:versa_analytics:-:*:*:*:*:*:*:*",
"matchCriteriaId": "1D5BC5CF-B979-4689-BD33-45A8E8D16375",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:versa-networks:versa_director:-:*:*:*:*:*:*:*",
"matchCriteriaId": "4DE5070B-93B9-478C-999C-2E0D4B66868C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:versa-networks:versa_operating_system:-:*:*:*:*:*:*:*",
"matchCriteriaId": "02ECA632-35D4-4CCC-87D2-8160EC077EB7",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "In Versa Director, Versa Analytics and VOS, Passwords are not hashed using an adaptive cryptographic hash function or key derivation function prior to storage. Popular hashing algorithms based on the Merkle-Damgardconstruction (such as MD5 and SHA-1) alone are insufficient in thwarting password cracking. Attackers can generate and use precomputed hashes for all possible password character combinations (commonly referred to as \"rainbow tables\") relatively quickly. The use of adaptive hashing algorithms such asscryptorbcryptor Key-Derivation Functions (i.e.PBKDF2) to hash passwords make generation of such rainbow tables computationally infeasible."
},
{
"lang": "es",
"value": "En Versa Director, Versa Analytics y VOS, las contrase\u00f1as son procesadas usando una funci\u00f3n hash criptogr\u00e1fica adaptativa o una funci\u00f3n de derivation de clave antes del almacenamiento.\u0026#xa0;Los algoritmos de hash populares basados ??en la construcci\u00f3n Merkle-Damgard (como MD5 y SHA-1) por s\u00ed solos son insuficientes para frustrar el descifrado de contrase\u00f1as.\u0026#xa0;Unos atacantes pueden generar y utilizar hashes precalculados para todas las combinaciones posibles de caracteres de contrase\u00f1a (com\u00fanmente denominadas \"rainbow tables\") con relativa rapidez.\u0026#xa0;El uso de algoritmos de hash adaptativos, como las funciones de derivaci\u00f3n de claves de cifrado y cifrado (es decir, PBKDF2) para cifrar contrase\u00f1as, hace que la generaci\u00f3n de tales rainbow tables sea computacionalmente inviable"
}
],
"id": "CVE-2019-25030",
"lastModified": "2024-11-21T04:39:46.803",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "LOW",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "LOCAL",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 2.1,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N",
"version": "2.0"
},
"exploitabilityScore": 3.9,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 1.8,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2021-05-26T19:15:08.813",
"references": [
{
"source": "support@hackerone.com",
"tags": [
"Third Party Advisory"
],
"url": "https://hackerone.com/reports/1168197"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://hackerone.com/reports/1168197"
}
],
"sourceIdentifier": "support@hackerone.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-522"
}
],
"source": "support@hackerone.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-522"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
CVE-2019-25030 (GCVE-0-2019-25030)
Vulnerability from cvelistv5
Published
2021-05-26 18:45
Modified
2024-08-05 03:00
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-522 - Insufficiently Protected Credentials ()
Summary
In Versa Director, Versa Analytics and VOS, Passwords are not hashed using an adaptive cryptographic hash function or key derivation function prior to storage. Popular hashing algorithms based on the Merkle-Damgardconstruction (such as MD5 and SHA-1) alone are insufficient in thwarting password cracking. Attackers can generate and use precomputed hashes for all possible password character combinations (commonly referred to as "rainbow tables") relatively quickly. The use of adaptive hashing algorithms such asscryptorbcryptor Key-Derivation Functions (i.e.PBKDF2) to hash passwords make generation of such rainbow tables computationally infeasible.
References
| ► | URL | Tags | |||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| n/a | Versa Director, Versa Analytics, Versa VOS |
Version: Fixed Versions: 16.1R2S11, 20.2.2, 21.1.1, 21.2.1 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T03:00:19.000Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://hackerone.com/reports/1168197"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Versa Director, Versa Analytics, Versa VOS",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "Fixed Versions: 16.1R2S11, 20.2.2, 21.1.1, 21.2.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In Versa Director, Versa Analytics and VOS, Passwords are not hashed using an adaptive cryptographic hash function or key derivation function prior to storage. Popular hashing algorithms based on the Merkle-Damgardconstruction (such as MD5 and SHA-1) alone are insufficient in thwarting password cracking. Attackers can generate and use precomputed hashes for all possible password character combinations (commonly referred to as \"rainbow tables\") relatively quickly. The use of adaptive hashing algorithms such asscryptorbcryptor Key-Derivation Functions (i.e.PBKDF2) to hash passwords make generation of such rainbow tables computationally infeasible."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-522",
"description": "Insufficiently Protected Credentials (CWE-522)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-05-26T18:45:38",
"orgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
"shortName": "hackerone"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://hackerone.com/reports/1168197"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "support@hackerone.com",
"ID": "CVE-2019-25030",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Versa Director, Versa Analytics, Versa VOS",
"version": {
"version_data": [
{
"version_value": "Fixed Versions: 16.1R2S11, 20.2.2, 21.1.1, 21.2.1"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "In Versa Director, Versa Analytics and VOS, Passwords are not hashed using an adaptive cryptographic hash function or key derivation function prior to storage. Popular hashing algorithms based on the Merkle-Damgardconstruction (such as MD5 and SHA-1) alone are insufficient in thwarting password cracking. Attackers can generate and use precomputed hashes for all possible password character combinations (commonly referred to as \"rainbow tables\") relatively quickly. The use of adaptive hashing algorithms such asscryptorbcryptor Key-Derivation Functions (i.e.PBKDF2) to hash passwords make generation of such rainbow tables computationally infeasible."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Insufficiently Protected Credentials (CWE-522)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://hackerone.com/reports/1168197",
"refsource": "MISC",
"url": "https://hackerone.com/reports/1168197"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
"assignerShortName": "hackerone",
"cveId": "CVE-2019-25030",
"datePublished": "2021-05-26T18:45:38",
"dateReserved": "2021-04-23T00:00:00",
"dateUpdated": "2024-08-05T03:00:19.000Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2018-16497 (GCVE-0-2018-16497)
Vulnerability from cvelistv5
Published
2021-05-26 18:45
Modified
2024-08-05 10:24
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-269 - Improper Privilege Management ()
Summary
In Versa Analytics, the cron jobs are used for scheduling tasks by executing commands at specific dates and times on the server. If the job is run as the user root, there is a potential privilege escalation vulnerability. In this case, the job runs a script as root that is writable by users who are members of the versa group.
References
| ► | URL | Tags | |||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| n/a | Versa Analytics |
Version: Fixed Versions: 16.1R2S11, 20.2.2, 21.1.1, 21.2.1 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T10:24:32.964Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://hackerone.com/reports/1168194"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Versa Analytics",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "Fixed Versions: 16.1R2S11, 20.2.2, 21.1.1, 21.2.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In Versa Analytics, the cron jobs are used for scheduling tasks by executing commands at specific dates and times on the server. If the job is run as the user root, there is a potential privilege escalation vulnerability. In this case, the job runs a script as root that is writable by users who are members of the versa group."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-269",
"description": "Improper Privilege Management (CWE-269)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-05-26T18:45:57",
"orgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
"shortName": "hackerone"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://hackerone.com/reports/1168194"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "support@hackerone.com",
"ID": "CVE-2018-16497",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Versa Analytics",
"version": {
"version_data": [
{
"version_value": "Fixed Versions: 16.1R2S11, 20.2.2, 21.1.1, 21.2.1"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "In Versa Analytics, the cron jobs are used for scheduling tasks by executing commands at specific dates and times on the server. If the job is run as the user root, there is a potential privilege escalation vulnerability. In this case, the job runs a script as root that is writable by users who are members of the versa group."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Improper Privilege Management (CWE-269)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://hackerone.com/reports/1168194",
"refsource": "MISC",
"url": "https://hackerone.com/reports/1168194"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
"assignerShortName": "hackerone",
"cveId": "CVE-2018-16497",
"datePublished": "2021-05-26T18:45:57",
"dateReserved": "2018-09-04T00:00:00",
"dateUpdated": "2024-08-05T10:24:32.964Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}