CVE-2009-3035

high

Description

The web console in Symantec Altiris Notification Server 6.0.x before 6.0 SP3 R12 uses a hardcoded key that can decrypt SQL Server credentials and certain discovery credentials, and stores this key on the Notification Server machine, which allows local users to obtain sensitive information and possibly execute arbitrary code by decrypting and using these credentials.

References

https://exchange.xforce.ibmcloud.com/vulnerabilities/55952

http://www.vupen.com/english/advisories/2010/0256

http://www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=2010&suid=20100128_00

http://www.securitytracker.com/id?1023521

http://www.securityfocus.com/bid/37953

http://secunia.com/advisories/38356

http://osvdb.org/62010

Details

Source: Mitre, NVD

Published: 2010-02-02

Updated: 2017-08-17

Risk Information

CVSS v2

Base Score: 4.3

Vector: CVSS2#AV:L/AC:L/Au:S/C:P/I:P/A:P

Severity: Medium

CVSS v3

Base Score: 7.8

Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Severity: High