CVE-2015-0922

medium

Description

McAfee ePolicy Orchestrator (ePO) before 4.6.9 and 5.x before 5.1.2 uses the same secret key across different customers' installations, which allows attackers to obtain the administrator password by leveraging knowledge of the encrypted password.

References

http://packetstormsecurity.com/files/129827/McAfee-ePolicy-Orchestrator-Authenticated-XXE-Credential-Exposure.html

http://seclists.org/fulldisclosure/2015/Jan/37

http://seclists.org/fulldisclosure/2015/Jan/8

http://www.securityfocus.com/bid/72298

http://www.securitytracker.com/id/1031519

https://exchange.xforce.ibmcloud.com/vulnerabilities/99949

https://gist.github.com/brandonprry/692e553975bf29aeaf2c

https://kc.mcafee.com/corporate/index?page=content&id=SB10095

Details

Source: MITRE

Published: 2015-01-09

Updated: 2017-09-08

Type: CWE-200

Risk Information

CVSS v2

Base Score: 5

Vector: AV:N/AC:L/Au:N/C:P/I:N/A:N

Impact Score: 2.9

Exploitability Score: 10

Severity: MEDIUM