CVE-2023-22271Weak Encoding for Password in Adobe Experience Manager

CWE-261Weak Encoding for PasswordCWE-326Inadequate Encryption Strength3 documents3 sources
Severity
5.3MEDIUMNVD
EPSS
0.2%
top 54.62%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Adobe Experience ManagerAdobe Experience Manager Cloud Service
Timeline
PublishedMar 22

Description

Experience Manager versions 6.5.15.0 (and earlier) are affected by a Weak Cryptography for Passwords vulnerability that can lead to a security feature bypass. A low-privileged attacker can exploit this in order to decrypt a user's password. The attack complexity is high since a successful exploitation requires to already have in possession this encrypted secret.

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:NExploitability: 1.6 | Impact: 3.6

Affected Packages3 packages

NVDadobe/experience_manager< 6.5.16.0
CVEListV5adobe/experience_managerunspecified6.5.15.0+1

🔴Vulnerability Details

2
CVEList
AEM Weak Cryptography for Passwords Security feature bypass2023-03-22
GHSA
GHSA-pfv4-g52j-f26m: Experience Manager versions 62023-03-22
CVE-2023-22271 — Weak Encoding for Password in Adobe | cvebase