CVE-2019-14886 — Cleartext Storage of Sensitive Info in RED HAT Business-central

CWE-312 — Cleartext Storage of Sensitive Info5 documents5 sources

Severity

6.5MEDIUMNVD

EPSS

0.1%

top 73.68%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

RED HAT Business-central Redhat Decision Manager Redhat Process Automation Manager

Timeline

PublishedMar 5

Latest updateMay 24

Description

A vulnerability was found in business-central, as shipped in rhdm-7.5.1 and rhpam-7.5.1, where encoded passwords are stored in errai_security_context. The encoding used for storing the passwords is Base64, not an encryption algorithm, and any recovery of these passwords could lead to user passwords being exposed.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:NExploitability: 2.8 | Impact: 3.6

Affected Packages3 packages

▶CVEListV5red_hat/business-centralversions of Business-central as shipped in rhdm-7.5.1 and rhpam-7.5.1

▶NVDredhat/decision_manager7.5.1

▶NVDredhat/process_automation_manager7.5.1

🔴Vulnerability Details

GHSA

GHSA-5prq-gjqm-96r8: A vulnerability was found in business-central, as shipped in rhdm-7↗2022-05-24

▶

CVEList

CVE-2019-14886: A vulnerability was found in business-central, as shipped in rhdm-7↗2020-03-05

▶

📋Vendor Advisories

Red Hat

Business-central: Encrypted password shown under Object id 7 of errai_security_context↗2019-09-23

▶

💬Community

Bugzilla

CVE-2019-14886 Business-central: Encrypted password shown under Object id 7 of errai_security_context↗2019-11-12

▶