CVE-2020-4095 — Cleartext Storage of Sensitive Info in Bigfix Platform

CWE-312 — Cleartext Storage of Sensitive Info CWE-522 — Insufficiently Protected Credentials CWE-440 — Expected Behavior Violation5 documents5 sources

Severity

6.0MEDIUMNVD

EPSS

0.0%

top 92.81%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Hcltech Bigfix Platform

Timeline

PublishedJul 16

Latest updateMay 24

Description

"BigFix Platform is storing clear text credentials within the system's memory. An attacker who is able to gain administrative privileges can use a program to create a memory dump and extract the credentials. These credentials can be used to pivot further into the environment. The principle of least privilege should be applied to all BigFix deployments, limiting administrative access."

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:NExploitability: 1.5 | Impact: 4.0

Affected Packages1 packages

▶NVDhcltech/bigfix_platform9.2 — 9.2.19+1

🔴Vulnerability Details

GHSA

GHSA-r659-cjpw-fq42: "BigFix Platform is storing clear text credentials within the system's memory↗2022-05-24

▶

CVEList

CVE-2020-4095: "BigFix Platform is storing clear text credentials within the system's memory↗2020-07-16

▶

💬Community

Bugzilla

CVE-2020-25600 xen: out of bounds event channels available to 32-bit x86 domains (XSA-342)↗2020-09-17

▶