CVE-2022-28170 — Insecure Storage of Sensitive Information in Fabric Operating System

CWE-922 — Insecure Storage of Sensitive Information4 documents4 sources

Severity

6.5MEDIUMNVD

EPSS

0.1%

top 82.29%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Broadcom Fabric Operating System Brocade Fabric OS

Timeline

PublishedOct 25

Latest updateOct 26

Description

Brocade Fabric OS Web Application services before Brocade Fabric v9.1.0, v9.0.1e, v8.2.3c, v7.4.2j store server and user passwords in the debug statements. This could allow a local user to extract the passwords from a debug file.

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:NExploitability: 2.0 | Impact: 4.0

Affected Packages2 packages

▶CVEListV5brocade/brocade_fabric_osBrocade Fabric OS versions before Brocade Fabric v9.1.0, v9.0.1e, v8.2.3c, v7.4.2j

▶NVDbroadcom/fabric_operating_system8.0.0 — 8.2.3c+3

🔴Vulnerability Details

GHSA

GHSA-73xq-c68f-h599: Brocade Fabric OS Web Application services before Brocade Fabric v9↗2022-10-26

▶

CVEList

CVE-2022-28170: Brocade Fabric OS Web Application services before Brocade Fabric v9↗2022-10-25

▶

📋Vendor Advisories

Oracle

Oracle Oracle Communications Risk Matrix: Policy (Jakarta) — CVE-2021-28170↗2022-04-15

▶