github - ghsa-f92c-vmwr-rmv8

ghsa-f92c-vmwr-rmv8

Vulnerability from github

Published

2024-12-09 21:31

Modified

2024-12-09 21:31

Severity ?

1.8 (Low) - CVSS:4.0/AV:L/AC:H/AT:P/PR:H/UI:N/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N/AU:N/R:U/V:C/RE:M/U:Clear

Details

User credentials (login & password) are inserted into log files when a user tries to authenticate using a version of a Web client that is not compatible with that of the PcVue Web back end. By exploiting this vulnerability, an attacker could retrieve the credentials of a user by accessing the Log File. Successful exploitation of this vulnerability could lead to unauthorized access to the application.

Show details on source website

To clipboard

{
  "affected": [],
  "aliases": [
    "CVE-2024-12057"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-532"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-12-09T19:15:12Z",
    "severity": "LOW"
  },
  "details": "User credentials (login \u0026 password) are inserted into log files when a user tries to authenticate using a version of a Web client that is not compatible with that of the PcVue Web back end.\nBy exploiting this vulnerability, an attacker could retrieve the credentials of a user by accessing the Log File. Successful exploitation of this vulnerability could lead to unauthorized access to the application.",
  "id": "GHSA-f92c-vmwr-rmv8",
  "modified": "2024-12-09T21:31:01Z",
  "published": "2024-12-09T21:31:01Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-12057"
    },
    {
      "type": "WEB",
      "url": "https://www.pcvue.com/security/#SB2024-6"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:L/AC:H/AT:P/PR:H/UI:N/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:N/R:U/V:C/RE:M/U:Clear",
      "type": "CVSS_V4"
    }
  ]
}

CVE-2024-12057 (GCVE-0-2024-12057)

Vulnerability from cvelistv5

Published

2024-12-09 19:08

Modified

2025-03-21 15:55

Severity ?

1.8 (Low) - CVSS:4.0/AV:L/AC:H/AT:P/PR:H/UI:N/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N/AU:N/R:U/V:C/RE:M/U:Clear

CWE

CWE-532 - Insertion of Sensitive Information into Log File

Summary

User credentials (login & password) are inserted into log files when a user tries to authenticate using a version of a Web client that is not compatible with that of the PcVue Web back end. By exploiting this vulnerability, an attacker could retrieve the credentials of a user by accessing the Log File. Successful exploitation of this vulnerability could lead to unauthorized access to the application.

References

►

URL

Tags

https://www.pcvue.com/security/#SB2024-6

vendor-advisory

Impacted products

	Vendor	Product	Version
	arcinfo	PcVue	Version: 16.0.0 Version: 15.0.0

Show details on NVD website

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2024-12057",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-12-10T21:22:40.386531Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-12-10T21:22:49.837Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "modules": [
            "Web Server Extensions"
          ],
          "product": "PcVue",
          "vendor": "arcinfo",
          "versions": [
            {
              "lessThan": "16.2.4",
              "status": "affected",
              "version": "16.0.0",
              "versionType": "cpe"
            },
            {
              "lessThan": "15.2.11",
              "status": "affected",
              "version": "15.0.0",
              "versionType": "cpe"
            }
          ]
        }
      ],
      "configurations": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "Only servers where the Web \u0026amp; Mobile features are deployed are affected.\u003cbr\u003eThe PcVue Web back end and the Web Server must run different versions."
            }
          ],
          "value": "Only servers where the Web \u0026 Mobile features are deployed are affected.\nThe PcVue Web back end and the Web Server must run different versions."
        }
      ],
      "datePublic": "2024-12-02T23:00:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "User credentials (login \u0026amp; password) are inserted into log files when a user tries to authenticate using a version of a Web client that is not compatible with that of the PcVue Web back end.\u003cbr\u003eBy exploiting this vulnerability, an attacker could retrieve the credentials of a user by accessing the Log File. Successful exploitation of this vulnerability could lead to unauthorized access to the application."
            }
          ],
          "value": "User credentials (login \u0026 password) are inserted into log files when a user tries to authenticate using a version of a Web client that is not compatible with that of the PcVue Web back end.\nBy exploiting this vulnerability, an attacker could retrieve the credentials of a user by accessing the Log File. Successful exploitation of this vulnerability could lead to unauthorized access to the application."
        }
      ],
      "exploits": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "No POC available."
            }
          ],
          "value": "No POC available."
        },
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "Not known to be exploited"
            }
          ],
          "value": "Not known to be exploited"
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "Automatable": "NO",
            "Recovery": "USER",
            "Safety": "NOT_DEFINED",
            "attackComplexity": "HIGH",
            "attackRequirements": "PRESENT",
            "attackVector": "LOCAL",
            "baseScore": 1.8,
            "baseSeverity": "LOW",
            "privilegesRequired": "HIGH",
            "providerUrgency": "CLEAR",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "LOW",
            "subIntegrityImpact": "LOW",
            "userInteraction": "NONE",
            "valueDensity": "CONCENTRATED",
            "vectorString": "CVSS:4.0/AV:L/AC:H/AT:P/PR:H/UI:N/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N/AU:N/R:U/V:C/RE:M/U:Clear",
            "version": "4.0",
            "vulnAvailabilityImpact": "NONE",
            "vulnConfidentialityImpact": "LOW",
            "vulnIntegrityImpact": "LOW",
            "vulnerabilityResponseEffort": "MODERATE"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-532",
              "description": "CWE-532 Insertion of Sensitive Information into Log File",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-03-21T15:55:47.995Z",
        "orgId": "87c8e6ad-f0f5-4ca8-89e2-89f26d6ed932",
        "shortName": "arcinfo"
      },
      "references": [
        {
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://www.pcvue.com/security/#SB2024-6"
        }
      ],
      "solutions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cb\u003e\u003cu\u003eUninstall the Web Server\u003cbr\u003e\u003c/u\u003e\u003c/b\u003eIf your system does not require the use of the Web \u0026amp; Mobile features, you should make sure not to install them. \u003cbr\u003e\u003cb\u003e\u003cu\u003e\u003cbr\u003eRe-deploy the Web Server:\u003c/u\u003e\u003c/b\u003e\u003cbr\u003eRe-deploy the Web Server with the Web Deployment Console (WDC) provided with the PcVue Web back end installation so that the PcVue Web back end and the Web server run the same version.\u003cbr\u003e\u003cbr\u003e\n\n\u003cb\u003e\u003cu\u003eUpdate the PcVue Web back end\u003c/u\u003e\u003c/b\u003e\u003cbr\u003eInstall a patched release of the product, including the Web back end and Web Deployment Console (WDC) and use the WDC to re-deploy the Web Server. In case of future updates, credentials will no longer be inserted into the Log files even if the PcVue back end and the Web server are incompatible.\u003cbr\u003e\u003cbr\u003e\u003cb\u003e\u003cu\u003eAvailable patches:\u003c/u\u003e\u003c/b\u003e\u003cbr\u003eFixed in:\u003cbr\u003e\u003cul\u003e\u003cli\u003e16.2.4\u003c/li\u003e\u003cli\u003e15.2.11\u003c/li\u003e\u003c/ul\u003e"
            }
          ],
          "value": "Uninstall the Web Server\nIf your system does not require the use of the Web \u0026 Mobile features, you should make sure not to install them. \n\nRe-deploy the Web Server:\nRe-deploy the Web Server with the Web Deployment Console (WDC) provided with the PcVue Web back end installation so that the PcVue Web back end and the Web server run the same version.\n\n\n\nUpdate the PcVue Web back end\nInstall a patched release of the product, including the Web back end and Web Deployment Console (WDC) and use the WDC to re-deploy the Web Server. In case of future updates, credentials will no longer be inserted into the Log files even if the PcVue back end and the Web server are incompatible.\n\nAvailable patches:\nFixed in:\n  *  16.2.4\n  *  15.2.11"
        }
      ],
      "source": {
        "advisory": "SB2024-6",
        "discovery": "EXTERNAL"
      },
      "title": "User credentials recorded in log files",
      "x_generator": {
        "engine": "Vulnogram 0.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "87c8e6ad-f0f5-4ca8-89e2-89f26d6ed932",
    "assignerShortName": "arcinfo",
    "cveId": "CVE-2024-12057",
    "datePublished": "2024-12-09T19:08:15.527Z",
    "dateReserved": "2024-12-02T19:57:23.640Z",
    "dateUpdated": "2025-03-21T15:55:47.995Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Log in or create an account to share your comment.

Tags

Taxonomy of the tags.

All sightings related to this event Export sightings related to this event

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
Confirmed: The vulnerability is confirmed from an analyst perspective.
Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
Patched: This vulnerability was successfully patched by the user reporting the sighting.
Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
Not confirmed: The user expresses doubt about the veracity of the vulnerability.
Not patched: This vulnerability was not successfully patched by the user reporting the sighting.