// For flags

CVE-2019-0032

Junos Space Service Now and Service Insight: Organization username and password stored in plaintext in log files.

Severity Score

7.8
*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

0
*Multiple Sources

Exploited in Wild

-
*KEV

Decision

-
*SSVC
Descriptions

A password management issue exists where the Organization authentication username and password were stored in plaintext in log files. A locally authenticated attacker who is able to access these stored plaintext credentials can use them to login to the Organization. Affected products are: Juniper Networks Service Insight versions from 15.1R1, prior to 18.1R1. Service Now versions from 15.1R1, prior to 18.1R1.

Se presenta un problema de administración de contraseña donde el nombre de usuario y la contraseña de autenticación de la Organización fueron almacenadas en texto plano en los archivos de registro. Un atacante autenticado localmente que es capaz de acceder a estas credenciales almacenadas de texto plano puede usarlas para iniciar sesión en la Organización. Los productos afectados son: Juniper Networks Service Insight versiones desde 15.1R1, anterior a 18.1R1. Service Now versiones desde 15.1R1, anterior a 18.1R1.

*Credits: N/A
CVSS Scores
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
None
Availability
None
Attack Vector
Local
Attack Complexity
Low
Authentication
None
Confidentiality
Partial
Integrity
None
Availability
None
* Common Vulnerability Scoring System
SSVC
  • Decision:-
Exploitation
-
Automatable
-
Tech. Impact
-
* Organization's Worst-case Scenario
Timeline
  • 2018-10-11 CVE Reserved
  • 2019-04-10 CVE Published
  • 2024-04-03 EPSS Updated
  • 2024-09-16 CVE Updated
  • ---------- Exploited in Wild
  • ---------- KEV Due Date
  • ---------- First Exploit
CWE
  • CWE-256: Plaintext Storage of a Password
  • CWE-522: Insufficiently Protected Credentials
  • CWE-532: Insertion of Sensitive Information into Log File
CAPEC
References (3)
Affected Vendors, Products, and Versions
Vendor Product Version Other Status
Vendor Product Version Other Status <-- --> Vendor Product Version Other Status
Juniper
Search vendor "Juniper"
Service Insight
Search vendor "Juniper" for product "Service Insight"
>= 15.1r1 < 18.1r1
Search vendor "Juniper" for product "Service Insight" and version " >= 15.1r1 < 18.1r1"
-
Affected
Juniper
Search vendor "Juniper"
Service Now
Search vendor "Juniper" for product "Service Now"
>= 15.1r1 < 18.1r1
Search vendor "Juniper" for product "Service Now" and version " >= 15.1r1 < 18.1r1"
-
Affected