Vulnerabilities > Insufficiently Protected Credentials
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2023-09-21 | CVE-2023-43634 | Insufficiently Protected Credentials vulnerability in Lfedge EVE When sealing/unsealing the “vault” key, a list of PCRs is used, which defines which PCRs are used. In a previous project, CYMOTIVE found that the configuration is not protected by the secure boot, and in response Zededa implemented measurements on the config partition that was mapped to PCR 13. In that process, PCR 13 was added to the list of PCRs that seal/unseal the key. In commit “56e589749c6ff58ded862d39535d43253b249acf”, the config partition measurement moved from PCR 13 to PCR 14, but PCR 14 was not added to the list of PCRs that seal/unseal the key. This change makes the measurement of PCR 14 effectively redundant as it would not affect the sealing/unsealing of the key. An attacker could modify the config partition without triggering the measured boot, this could result in the attacker gaining full control over the device with full access to the contents of the encrypted “vault” | 8.8 |
| 2023-09-20 | CVE-2023-43630 | Insufficiently Protected Credentials vulnerability in Linuxfoundation Edge Virtualization Engine PCR14 is not in the list of PCRs that seal/unseal the “vault” key, but due to the change that was implemented in commit “7638364bc0acf8b5c481b5ce5fea11ad44ad7fd4”, fixing this issue alone would not solve the problem of the config partition not being measured correctly. Also, the “vault” key is sealed/unsealed with SHA1 PCRs instead of SHA256. | 8.8 |
| 2023-09-20 | CVE-2022-47561 | Insufficiently Protected Credentials vulnerability in Ormazabal Ekorccp Firmware and Ekorrci Firmware The web application stores credentials in clear text in the "admin.xml" file, which can be accessed without logging into the website, which could allow an attacker to obtain credentials related to all users, including admin users, in clear text, and use them to subsequently execute malicious actions. | 5.5 |
| 2023-09-20 | CVE-2023-25531 | Insufficiently Protected Credentials vulnerability in Nvidia DGX H100 Firmware NVIDIA DGX H100 BMC contains a vulnerability in IPMI, where an attacker may cause insufficient protection of credentials. | 9.8 |
| 2023-09-20 | CVE-2023-25532 | Insufficiently Protected Credentials vulnerability in Nvidia DGX H100 Firmware NVIDIA DGX H100 BMC contains a vulnerability in IPMI, where an attacker may cause insufficient protection of credentials. | 7.5 |
| 2023-09-14 | CVE-2023-41010 | Insufficiently Protected Credentials vulnerability in Tianyisc Tewa-700G Firmware Insecure Permissions vulnerability in Sichuan Tianyi Kanghe Communication Co., Ltd China Telecom Tianyi Home Gateway v.TEWA-700G allows a local attacker to obtain sensitive information via the default password parameter. | 5.5 |
| 2023-09-05 | CVE-2023-32338 | Insufficiently Protected Credentials vulnerability in IBM products IBM Sterling Secure Proxy and IBM Sterling External Authentication Server 6.0.3 and 6.1.0 stores user credentials in plain clear text which can be read by a local user with container access. | 5.5 |
| 2023-08-29 | CVE-2023-3251 | Insufficiently Protected Credentials vulnerability in Tenable Nessus A pass-back vulnerability exists where an authenticated, remote attacker with administrator privileges could uncover stored SMTP credentials within the Nessus application.This issue affects Nessus: before 10.6.0. | 4.9 |
| 2023-08-22 | CVE-2022-45611 | Insufficiently Protected Credentials vulnerability in Fresenius-Kabi Pharmahelp Firmware 5.1.759.0 An issue was discovered in Fresenius Kabi PharmaHelp 5.1.759.0 allows attackers to gain escalated privileges via via capture of user login information. | 9.8 |
| 2023-08-18 | CVE-2023-40173 | Insufficiently Protected Credentials vulnerability in Fobybus Social-Media-Skeleton Social media skeleton is an uncompleted/framework social media project implemented using a php, css ,javascript and html. | 7.5 |