CVE-2019-18906 — Improper Authentication in Linux Enterprise Server FOR SAP 12-sp5

CWE-287 — Improper Authentication3 documents3 sources

Severity

9.8CRITICALNVD

EPSS

0.3%

top 44.15%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Suse Linux Enterprise Server FOR SAP 12-sp5 Suse Manager Server 4.0 Opensuse Cryptctl

Timeline

PublishedJun 30

Latest updateMay 24

Description

A Improper Authentication vulnerability in cryptctl of SUSE Linux Enterprise Server for SAP 12-SP5, SUSE Manager Server 4.0 allows attackers with access to the hashed password to use it without having to crack it. This issue affects: SUSE Linux Enterprise Server for SAP 12-SP5 cryptctl versions prior to 2.4. SUSE Manager Server 4.0 cryptctl versions prior to 2.4.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages3 packages

▶CVEListV5suse/suse_linux_enterprise_server_for_sap_12-sp5cryptctl — 2.4

▶CVEListV5suse/suse_manager_server_4.0cryptctl — 2.4

▶NVDopensuse/cryptctl< 2.4

🔴Vulnerability Details

GHSA

GHSA-x9cr-r4j4-8ph8: A Use of Password Hash Instead of Password for Authentication vulnerability in cryptctl of SUSE Linux Enterprise Server for SAP 12-SP5, SUSE Manager S↗2022-05-24

▶

CVEList

cryptctl: client side password hashing is equivalent to clear text password storage↗2021-06-30

▶