Executive Summary
Summary | |
---|---|
Title | CollabNet ScrumWorks Basic Server transmits credential information in plaintext |
Informations | |||
---|---|---|---|
Name | VU#547167 | First vendor Publication | 2011-01-21 |
Vendor | VU-CERT | Last vendor Modification | 2011-01-21 |
Severity (Vendor) | N/A | Revision | M |
Security-Database Scoring CVSS v3
Cvss vector : N/A | |||
---|---|---|---|
Overall CVSS Score | NA | ||
Base Score | NA | Environmental Score | NA |
impact SubScore | NA | Temporal Score | NA |
Exploitabality Sub Score | NA | ||
Calculate full CVSS 3.0 Vectors scores |
Security-Database Scoring CVSS v2
Cvss vector : (AV:N/AC:L/Au:N/C:P/I:N/A:N) | |||
---|---|---|---|
Cvss Base Score | 5 | Attack Range | Network |
Cvss Impact Score | 2.9 | Attack Complexity | Low |
Cvss Expoit Score | 10 | Authentication | None Required |
Calculate full CVSS 2.0 Vectors scores |
Detail
Vulnerability Note VU#547167CollabNet ScrumWorks Basic Server transmits credential information in plaintextOverviewCommunication between the Collabnet ScrumWorks Basic Server and CollabNet ScrumWorks Desktop Client transmits credential information in plaintext.I. DescriptionThe communication between the CollabNet ScrumWorks Basic Server and CollabNet ScrumWorks Desktop Client is transmitting credential information in plaintext. The CollabNet ScrumWorks Basic Server communicates with the CollabNet ScrumWorks Desktop Client using unencrypted java objects. These unencrypted java objects contain the username and password of the active user or (by calling specific functions) all users on the CollabNet ScrumWorks Basic Server.An additional vulnerability exists in CollabNet ScrumWorks where the ScrumWorks Basic Server stores unencrypted client username and passwords in its internal database. Restrict access
ReferencesThanks to David Elze from Daimler TSS Technical Security for reporting this vulnerability. This document was written by Michael Orlando.
|
Original Source
Url : http://www.kb.cert.org/vuls/id/547167 |
CWE : Common Weakness Enumeration
% | Id | Name |
---|---|---|
100 % | CWE-310 | Cryptographic Issues |
CPE : Common Platform Enumeration
Type | Description | Count |
---|---|---|
Application | 1 |
Open Source Vulnerability Database (OSVDB)
Id | Description |
---|---|
70602 | ScrumWorks Basic Server Base64-encoded Credentials Transmission ScrumWorks Basic Server contains a flaw that may lead to an unauthorized information disclosure. Â The issue is triggered when the login credentials for the server are transmitted as Base64-encoded text, which will disclose login information to a remote attacker via sniffing network traffic. |
70601 | ScrumWorks Basic Server server/scrumworks/data/hypersonic/scrumworks.log Plai... ScrumWorks Basic Server contains a flaw that may lead to an unauthorized information disclosure. Â The issue is triggered when the login credentials for the server component are stored in cleartext within the 'server/scrumworks/data/hypersonic/scrumworks.log' file, which will disclose login information to a local attacker. |