ID CVE-2019-3937
Summary Crestron AM-100 with firmware 1.6.0.2 and AM-101 with firmware 2.7.0.2 stores usernames, passwords, slideshow passcode, and other configuration options in cleartext in the file /tmp/scfgdndf. A local attacker can use this vulnerability to recover sensitive data.
References
Vulnerable Configurations
  • cpe:2.3:o:crestron:am-100_firmware:1.6.0.2:*:*:*:*:*:*:*
    cpe:2.3:o:crestron:am-100_firmware:1.6.0.2:*:*:*:*:*:*:*
  • cpe:2.3:h:crestron:am-100:-:*:*:*:*:*:*:*
    cpe:2.3:h:crestron:am-100:-:*:*:*:*:*:*:*
  • cpe:2.3:o:crestron:am-101_firmware:2.7.0.2:*:*:*:*:*:*:*
    cpe:2.3:o:crestron:am-101_firmware:2.7.0.2:*:*:*:*:*:*:*
  • cpe:2.3:h:crestron:am-101:-:*:*:*:*:*:*:*
    cpe:2.3:h:crestron:am-101:-:*:*:*:*:*:*:*
CVSS
Base: 2.1 (as of 16-10-2020 - 16:03)
Impact:
Exploitability:
CWE CWE-312
CAPEC
  • Retrieve Embedded Sensitive Data
    An attacker examines a target system to find sensitive data that has been embedded within it. This information can reveal confidential contents, such as account numbers or individual keys/credentials that can be used as an intermediate step in a larger attack.
Access
VectorComplexityAuthentication
LOCAL LOW NONE
Impact
ConfidentialityIntegrityAvailability
PARTIAL NONE NONE
cvss-vector via4 AV:L/AC:L/Au:N/C:P/I:N/A:N
refmap via4
misc https://www.tenable.com/security/research/tra-2019-20
Last major update 16-10-2020 - 16:03
Published 30-04-2019 - 21:29
Last modified 16-10-2020 - 16:03
Back to Top