cnvd - cnvd-2018-14365

cnvd-2018-14365

Vulnerability from cnvd

Title: McAfee ePolicy Orchestrator信息泄露漏洞（CNVD-2018-14365）

Description:

McAfee ePolicy Orchestrator（ePO）是美国迈克菲（McAfee）公司的一套可扩展的安全管理软件。该软件可对终端、网络、内容安全和合规解决方案实现集中的简化管理。

McAfee ePO 5.3.0版本至5.3.3版本和5.9.0版本至5.9.1版本中存在信息泄露漏洞。攻击者可利用该漏洞查看明文形式的敏感信息。

Severity: 中

Patch Name: McAfee ePolicy Orchestrator信息泄露漏洞（CNVD-2018-14365）的补丁

Patch Description:

McAfee ePO 5.3.0版本至5.3.3版本和5.9.0版本至5.9.1版本中存在信息泄露漏洞。攻击者可利用该漏洞查看明文形式的敏感信息。目前，供应商发布了安全公告及相关补丁信息，修复了此漏洞。

Formal description:

目前厂商已发布升级补丁以修复漏洞，补丁获取链接： https://kc.mcafee.com/corporate/index?page=content&id=SB10240

Reference: https://kc.mcafee.com/corporate/index?page=content&id=SB10240

Impacted products

Name
['McAfee, Inc. ePolicy Orchestrator >=5.3.0;<=5.3.3', 'McAfee, Inc. ePolicy Orchestrator >=5.9.0;<=5.9.1']

Show details on source website

JSON

To clipboard

{
  "bids": {
    "bid": {
      "bidNumber": "104485"
    }
  },
  "cves": {
    "cve": {
      "cveNumber": "CVE-2018-6672",
      "cveUrl": "http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6672"
    }
  },
  "description": "McAfee ePolicy Orchestrator\uff08ePO\uff09\u662f\u7f8e\u56fd\u8fc8\u514b\u83f2\uff08McAfee\uff09\u516c\u53f8\u7684\u4e00\u5957\u53ef\u6269\u5c55\u7684\u5b89\u5168\u7ba1\u7406\u8f6f\u4ef6\u3002\u8be5\u8f6f\u4ef6\u53ef\u5bf9\u7ec8\u7aef\u3001\u7f51\u7edc\u3001\u5185\u5bb9\u5b89\u5168\u548c\u5408\u89c4\u89e3\u51b3\u65b9\u6848\u5b9e\u73b0\u96c6\u4e2d\u7684\u7b80\u5316\u7ba1\u7406\u3002\r\n\r\nMcAfee ePO 5.3.0\u7248\u672c\u81f35.3.3\u7248\u672c\u548c5.9.0\u7248\u672c\u81f35.9.1\u7248\u672c\u4e2d\u5b58\u5728\u4fe1\u606f\u6cc4\u9732\u6f0f\u6d1e\u3002\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u67e5\u770b\u660e\u6587\u5f62\u5f0f\u7684\u654f\u611f\u4fe1\u606f\u3002",
  "discovererName": "McAfee",
  "formalWay": "\u76ee\u524d\u5382\u5546\u5df2\u53d1\u5e03\u5347\u7ea7\u8865\u4e01\u4ee5\u4fee\u590d\u6f0f\u6d1e\uff0c\u8865\u4e01\u83b7\u53d6\u94fe\u63a5\uff1a\r\nhttps://kc.mcafee.com/corporate/index?page=content\u0026id=SB10240",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2018-14365",
  "openTime": "2018-08-01",
  "patchDescription": "McAfee ePolicy Orchestrator\uff08ePO\uff09\u662f\u7f8e\u56fd\u8fc8\u514b\u83f2\uff08McAfee\uff09\u516c\u53f8\u7684\u4e00\u5957\u53ef\u6269\u5c55\u7684\u5b89\u5168\u7ba1\u7406\u8f6f\u4ef6\u3002\u8be5\u8f6f\u4ef6\u53ef\u5bf9\u7ec8\u7aef\u3001\u7f51\u7edc\u3001\u5185\u5bb9\u5b89\u5168\u548c\u5408\u89c4\u89e3\u51b3\u65b9\u6848\u5b9e\u73b0\u96c6\u4e2d\u7684\u7b80\u5316\u7ba1\u7406\u3002\r\n\r\nMcAfee ePO 5.3.0\u7248\u672c\u81f35.3.3\u7248\u672c\u548c5.9.0\u7248\u672c\u81f35.9.1\u7248\u672c\u4e2d\u5b58\u5728\u4fe1\u606f\u6cc4\u9732\u6f0f\u6d1e\u3002\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u67e5\u770b\u660e\u6587\u5f62\u5f0f\u7684\u654f\u611f\u4fe1\u606f\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "McAfee ePolicy Orchestrator\u4fe1\u606f\u6cc4\u9732\u6f0f\u6d1e\uff08CNVD-2018-14365\uff09\u7684\u8865\u4e01",
  "products": {
    "product": [
      "McAfee, Inc. ePolicy Orchestrator \u003e=5.3.0;\u003c=5.3.3",
      "McAfee, Inc. ePolicy Orchestrator \u003e=5.9.0;\u003c=5.9.1"
    ]
  },
  "referenceLink": "https://kc.mcafee.com/corporate/index?page=content\u0026id=SB10240",
  "serverity": "\u4e2d",
  "submitTime": "2018-06-20",
  "title": "McAfee ePolicy Orchestrator\u4fe1\u606f\u6cc4\u9732\u6f0f\u6d1e\uff08CNVD-2018-14365\uff09"
}

CVE-2018-6672 (GCVE-0-2018-6672)

Vulnerability from cvelistv5

Published

2018-06-15 14:00

Modified

2024-08-05 06:10

Severity ?

5.7 (Medium) - CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:N

CWE

Information disclosure vulnerability

Summary

Information disclosure vulnerability in McAfee ePolicy Orchestrator (ePO) 5.3.0 through 5.3.3 and 5.9.0 through 5.9.1 allows authenticated users to view sensitive information in plain text format via unspecified vectors.

References

▼	URL	Tags
	http://www.securityfocus.com/bid/104485	vdb-entry, x_refsource_BID
	https://kc.mcafee.com/corporate/index?page=content&id=SB10240	x_refsource_CONFIRM
	http://www.securitytracker.com/id/1041155	vdb-entry, x_refsource_SECTRACK

Impacted products

	Vendor	Product	Version
	McAfee	ePolicy Orchestrator (ePO)	Version: 5.3.0 through 5.3.3 < 5.3.3 with hotfix EPO5xHF1229850 Version: 5.9.0 through 5.9.1 < 5.9.1 with hotfix EPO5xHF1229850

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-05T06:10:11.360Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "name": "104485",
            "tags": [
              "vdb-entry",
              "x_refsource_BID",
              "x_transferred"
            ],
            "url": "http://www.securityfocus.com/bid/104485"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://kc.mcafee.com/corporate/index?page=content\u0026id=SB10240"
          },
          {
            "name": "1041155",
            "tags": [
              "vdb-entry",
              "x_refsource_SECTRACK",
              "x_transferred"
            ],
            "url": "http://www.securitytracker.com/id/1041155"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "ePolicy Orchestrator (ePO)",
          "vendor": "McAfee",
          "versions": [
            {
              "lessThan": "5.3.3 with hotfix EPO5xHF1229850",
              "status": "affected",
              "version": "5.3.0 through 5.3.3",
              "versionType": "custom"
            },
            {
              "lessThan": "5.9.1 with hotfix EPO5xHF1229850",
              "status": "affected",
              "version": "5.9.0 through 5.9.1",
              "versionType": "custom"
            }
          ]
        }
      ],
      "datePublic": "2018-06-14T00:00:00",
      "descriptions": [
        {
          "lang": "en",
          "value": "Information disclosure vulnerability in McAfee ePolicy Orchestrator (ePO) 5.3.0 through 5.3.3 and 5.9.0 through 5.9.1 allows authenticated users to view sensitive information in plain text format via unspecified vectors."
        }
      ],
      "metrics": [
        {
          "cvssV3_0": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 5.7,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "HIGH",
            "scope": "UNCHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:N",
            "version": "3.0"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "Information disclosure vulnerability",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2018-06-24T09:57:01",
        "orgId": "01626437-bf8f-4d1c-912a-893b5eb04808",
        "shortName": "trellix"
      },
      "references": [
        {
          "name": "104485",
          "tags": [
            "vdb-entry",
            "x_refsource_BID"
          ],
          "url": "http://www.securityfocus.com/bid/104485"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://kc.mcafee.com/corporate/index?page=content\u0026id=SB10240"
        },
        {
          "name": "1041155",
          "tags": [
            "vdb-entry",
            "x_refsource_SECTRACK"
          ],
          "url": "http://www.securitytracker.com/id/1041155"
        }
      ],
      "source": {
        "advisory": "SB10240",
        "discovery": "INTERNAL"
      },
      "title": "SB10240 - ePolicy Orchestrator (ePO) - Information disclosure vulnerablity",
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "psirt@mcafee.com",
          "ID": "CVE-2018-6672",
          "STATE": "PUBLIC",
          "TITLE": "SB10240 - ePolicy Orchestrator (ePO) - Information disclosure vulnerablity"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "ePolicy Orchestrator (ePO)",
                      "version": {
                        "version_data": [
                          {
                            "affected": "\u003c",
                            "version_affected": "\u003c",
                            "version_name": "5.3.0 through 5.3.3",
                            "version_value": "5.3.3 with hotfix EPO5xHF1229850"
                          },
                          {
                            "affected": "\u003c",
                            "version_affected": "\u003c",
                            "version_name": "5.9.0 through 5.9.1",
                            "version_value": "5.9.1 with hotfix EPO5xHF1229850"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "McAfee"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "Information disclosure vulnerability in McAfee ePolicy Orchestrator (ePO) 5.3.0 through 5.3.3 and 5.9.0 through 5.9.1 allows authenticated users to view sensitive information in plain text format via unspecified vectors."
            }
          ]
        },
        "impact": {
          "cvss": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 5.7,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "HIGH",
            "scope": "UNCHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:N",
            "version": "3.0"
          }
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "Information disclosure vulnerability"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "104485",
              "refsource": "BID",
              "url": "http://www.securityfocus.com/bid/104485"
            },
            {
              "name": "https://kc.mcafee.com/corporate/index?page=content\u0026id=SB10240",
              "refsource": "CONFIRM",
              "url": "https://kc.mcafee.com/corporate/index?page=content\u0026id=SB10240"
            },
            {
              "name": "1041155",
              "refsource": "SECTRACK",
              "url": "http://www.securitytracker.com/id/1041155"
            }
          ]
        },
        "source": {
          "advisory": "SB10240",
          "discovery": "INTERNAL"
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "01626437-bf8f-4d1c-912a-893b5eb04808",
    "assignerShortName": "trellix",
    "cveId": "CVE-2018-6672",
    "datePublished": "2018-06-15T14:00:00",
    "dateReserved": "2018-02-06T00:00:00",
    "dateUpdated": "2024-08-05T06:10:11.360Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
Confirmed: The vulnerability is confirmed from an analyst perspective.
Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
Patched: This vulnerability was successfully patched by the user reporting the sighting.
Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
Not confirmed: The user expresses doubt about the veracity of the vulnerability.
Not patched: This vulnerability was not successfully patched by the user reporting the sighting.

Action not permitted