Vaion-262: plaintext password in audit log when user changes their password
Release Date
11th March 2020.
Overview
When a manually added user changes their password in "My profile", their old password is shown in plaintext in the audit log.
Affected Products
- vcore:
- All versions up to and including 1.4.2.
- All 1.5 versions up to and including 1.5.1.
Unaffected Products
- vcore:
- All 1.4 versions from 1.4.3.
- All versions from 1.5.2.
- vcam: All versions.
- vcloud: All versions.
Resolution
This issue has been fixed in vcore version 1.4.3 and 1.5.2. We recommend that all vcore installations running an affected version upgrade to the latest release as soon as possible.
Vulnerability Information
- CVE: Pending
- CVSSv3 score: 6.8 Medium
- CVSSv3 vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:N/A:N
Mitigations
This vulnerability can be mitigated by deleting the affected logs. Do this by connecting to the vcore SSH console and executing the following command (note that this will delete all logs):
Copy
vplat# advanced clear-logs
Acknowledgements
Issue found internally by Vaion.
Disclosure Timeline
- 09/03/2020 Issue found internally by Vaion
- 09/03/2020 Fix identified
- 11/03/2020 Patched vcore released
- 11/03/2020 Vulnerability publicly disclosed