3.5 Low
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
SINGLE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:M/Au:S/C:P/I:N/A:N
0.002 Low
EPSS
Percentile
52.6%
Artiva Agency Single Sign-On (SSO) feature checks only the local Windows login name which could allow an attacker to impersonate another Artiva Agency user.
Artiva Agency Single Sign-On (SSO) feature when configured with the domain name option allows the currently logged on Windows user to automatically be logged into the Artiva Agency application using the same username without any additional authentication. Artiva Agency Single Sign-On (SSO) checks only the local Window login name and as a result does not take into consideration the associated user’s domain name. By creating a local Windows user account with the same username as a Windows domain account, Artiva Agency will allow the attacker to login as the domain account to the Artiva Agency application.
An unauthenticated Artiva Agency user can create a local Windows user account with the same username as a Windows domain account and Artiva Agency will allow the attacker to login as the domain account to the Artiva Agency application.
Update
The vendor has released an update to address this vulnerability. Affected users are advised to update to Artiva Workstation 1.3.9 or later. The vendor has stated that additional setup work in the Artiva application is required.
It has been reported to us that this vulnerability affects the following Artiva line products and versions:
215284
Filter by status: All Affected Not Affected Unknown
Filter by content: __ Additional information available
__ Sort by: Status Alphabetical
Expand all
Javascript is disabled. Click here to view vendors.
Notified: January 23, 2014 Updated: January 23, 2014
Unknown
We have not received a statement from the vendor.
Group | Score | Vector |
---|---|---|
Base | 1.5 | AV:L/AC:M/Au:S/C:P/I:N/A:N |
Temporal | 1.2 | E:F/RL:OF/RC:C |
Environmental | 0.5 | CDP:L/TD:L/CR:ND/IR:ND/AR:ND |
<http://www.ontariosystems.com/products/artiva>
Thanks to the reporter that wishes to remain anonymous.
This document was written by Michael Orlando.
CVE IDs: | CVE-2014-0348 |
---|---|
Date Public: | 2014-04-01 Date First Published: |