Use of a One-Way Hash without a Salt in APM Classic - CVE-2020-16244
Published: September 23, 2020
Vulnerability identifier: #VU46986
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2020-16244
CWE-ID: CWE-759
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: GE Digital
Affected software:
APM Classic
APM Classic
Detailed vulnerability description
The vulnerability allows a remote user to gain access to sensitive information on the system.
The vulnerability exists due to salt is not used for hash calculation of passwords, making it possible to decrypt passwords. A remote administrator can retrieve all user account data and then retrieve the actual passwords.
How to mitigate CVE-2020-16244
Install updates from vendor's website.