// For flags

CVE-2018-13820

CA Unified Infrastructure Management Hardcoded Credentials / Missing Authentication

Severity Score

7.5
*CVSS v3

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

0
*Multiple Sources

Exploited in Wild

-
*KEV

Decision

-
*SSVC
Descriptions

A hardcoded passphrase, in CA Unified Infrastructure Management 8.5.1, 8.5, and 8.4.7, allows attackers to access sensitive information.

Una frase de contraseƱa embebida en CA Unified Infrastructure Management 8.5.1, 8.5 y 8.4.7 permite que los atacantes accedan a informaciĆ³n sensible.

CA Technologies Support is alerting customers to multiple potential risks with CA Unified Infrastructure Management. Multiple vulnerabilities exist that can allow an attacker, who has access to the network on which CA UIM is running, to run arbitrary CA UIM commands on machines where the CA UIM probes are running. An attacker can also gain access to other machines running CA UIM and access the filesystems of those machines. The first vulnerability, has a medium risk rating and concerns a hardcoded secret key, which can allow an attacker to access sensitive information. The second vulnerability has a medium risk rating and concerns a hardcoded passphrase, which can allow an attacker to access sensitive information. The third vulnerability has a high risk rating and concerns a lack of authentication, which can allow a remote attacker to conduct a variety of attacks, including file reading/writing. Affected versions include 8.5.1, 8.5, and 8.4.7.

*Credits: N/A
CVSS Scores
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None
Attack Vector
Network
Attack Complexity
Low
Authentication
None
Confidentiality
Partial
Integrity
None
Availability
None
* Common Vulnerability Scoring System
SSVC
  • Decision:-
Exploitation
-
Automatable
-
Tech. Impact
-
* Organization's Worst-case Scenario
Timeline
  • 2018-07-10 CVE Reserved
  • 2018-08-30 CVE Published
  • 2024-09-16 CVE Updated
  • 2025-03-30 EPSS Updated
  • ---------- Exploited in Wild
  • ---------- KEV Due Date
  • ---------- First Exploit
CWE
  • CWE-798: Use of Hard-coded Credentials
CAPEC
Affected Vendors, Products, and Versions
Vendor Product Version Other Status
Vendor Product Version Other Status <-- --> Vendor Product Version Other Status
Ca
Search vendor "Ca"
 Unified Infrastructure Management
Search vendor "Ca" for product "Unified Infrastructure Management"
 8.4.7
Search vendor "Ca" for product "Unified Infrastructure Management" and version "8.4.7"
-
Affected
Ca
Search vendor "Ca"
 Unified Infrastructure Management
Search vendor "Ca" for product "Unified Infrastructure Management"
 8.5
Search vendor "Ca" for product "Unified Infrastructure Management" and version "8.5"
-
Affected
Ca
Search vendor "Ca"
 Unified Infrastructure Management
Search vendor "Ca" for product "Unified Infrastructure Management"
 8.5.1
Search vendor "Ca" for product "Unified Infrastructure Management" and version "8.5.1"
-
Affected