#VU4863 Weak password in cPanel
Published: January 18, 2017
Vulnerability identifier: #VU4863
Vulnerability risk: Low
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: N/A
CWE-ID: CWE-521
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vulnerable software:
cPanel
cPanel
Software vendor:
cPanel, Inc
cPanel, Inc
Description
The vulnerability allows a remote attacker to gain unauthorized access to database.
The Munin monitoring tool includes a plugin to check the status of the MySQL service. This plugin used a dedicated test MySQL user to provide this functionality. The password set for this user was identical to the username. In cPanel’s current configuration of Munin, this MySQL user is no longer required and has been removed.
Successful exploitation of this vulnerability may allow an attacker to gain unauthorized access to MySQL database.
Remediation
This issue is resolved in the following builds:
62.0.4
60.0.35
58.0.43
56.0.43
54.0.36
62.0.4
60.0.35
58.0.43
56.0.43
54.0.36