CVE-2019-18906 cryptctl: client side password hashing is equivalent to clear text password storage

2021-06-3008:35:12

CWE-287

suse

www.cve.org

authentication

vulnerability

suse linux enterprise server

sap 12-sp5

suse manager server

cryptctl

CVSS3

9.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

AI Score

9.4

Confidence

High

EPSS

0.001

Percentile

47.9%

JSON

A Improper Authentication vulnerability in cryptctl of SUSE Linux Enterprise Server for SAP 12-SP5, SUSE Manager Server 4.0 allows attackers with access to the hashed password to use it without having to crack it. This issue affects: SUSE Linux Enterprise Server for SAP 12-SP5 cryptctl versions prior to 2.4. SUSE Manager Server 4.0 cryptctl versions prior to 2.4.

CNA Affected

[
  {
    "vendor": "SUSE",
    "product": "SUSE Linux Enterprise Server for SAP 12-SP5",
    "versions": [
      {
        "version": "cryptctl",
        "status": "affected",
        "lessThan": "2.4",
        "versionType": "custom"
      }
    ]
  },
  {
    "vendor": "SUSE",
    "product": "SUSE Manager Server 4.0",
    "versions": [
      {
        "version": "cryptctl",
        "status": "affected",
        "lessThan": "2.4",
        "versionType": "custom"
      }
    ]
  }
]