CVE-2021-23890

CWE-200 — Information Exposure3 documents3 sources

Severity

6.5MEDIUM

EPSS

0.7%

top 27.56%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Mcafee,llc Mcafee Epolicy Orchestrator (epo)Mcafee Epolicy Orchestrator

Timeline

PublishedMar 26

Latest updateMay 24

Description

Information leak vulnerability in the Agent Handler of McAfee ePolicy Orchestrator (ePO) prior to 5.10 Update 10 allows an unauthenticated user to download McAfee product packages (specifically McAfee Agent) available in ePO repository and install them on their own machines to have it managed and then in turn get policy details from the ePO server. This can only happen when the ePO Agent Handler is installed in a Demilitarized Zone (DMZ) to service machines not connected to the network through a…

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:NExploitability: 3.9 | Impact: 2.5

Affected Packages2 packages

▶NVDmcafee/epolicy_orchestrator< 5.9.1+1

▶CVEListV5mcafee,llc/mcafee_epolicy_orchestrator_(epo)unspecified — 5.10 CU 10

🔴Vulnerability Details

GHSA

GHSA-6gh5-794v-v6mc: Information leak vulnerability in the Agent Handler of McAfee ePolicy Orchestrator (ePO) prior to 5↗2022-05-24

▶

CVEList

McAfee ePO Information Leak vulnerability↗2021-03-26

▶