Apache Syncope Insecure Password Generation

2014.07.08
Credit: Apache
Risk: Medium
Local: No
Remote: Yes
CWE: CWE-310


Ogólna skala CVSS: 5/10
Znaczenie: 2.9/10
Łatwość wykorzystania: 10/10
Wymagany dostęp: Zdalny
Złożoność ataku: Niska
Autoryzacja: Nie wymagana
Wpływ na poufność: Brak
Wpływ na integralność: Częściowy
Wpływ na dostępność: Brak

CVE-2014-3503: Insecure Random implementations used to generate passwords in Apache Syncope Severity: Major Vendor: The Apache Software Foundation Versions Affected: This vulnerability affects all versions of Apache Syncope 1.1.x prior to 1.1.8 'Ad libitum'. The 1.0.x releases are not affected. Description: A password is generated for a user in Apache Syncope under certain circumstances, when no existing password is found. However, the password generation code is relying on insecure Random implementations, which means that an attacker could attempt to guess a generated password. This has been fixed in revision: http://svn.apache.org/viewvc?view=revision&revision=1596537 Migration: Syncope 1.0.x users are not affected by this issue. Syncope 1.1.x users should upgrade to 1.1.8 'Ad libitum' as soon as possible. References: http://syncope.apache.org/security.html


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top