Weak password in cPanel - #VU4863
Published: January 18, 2017
Vulnerability identifier: #VU4863
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: N/A
CWE-ID: CWE-521
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: cPanel, Inc
Affected software:
cPanel
cPanel
Detailed vulnerability description
The vulnerability allows a remote attacker to gain unauthorized access to database.
The Munin monitoring tool includes a plugin to check the status of the MySQL service. This plugin used a dedicated test MySQL user to provide this functionality. The password set for this user was identical to the username. In cPanel’s current configuration of Munin, this MySQL user is no longer required and has been removed.
Successful exploitation of this vulnerability may allow an attacker to gain unauthorized access to MySQL database.
Remediation
This issue is resolved in the following builds:
62.0.4
60.0.35
58.0.43
56.0.43
54.0.36
62.0.4
60.0.35
58.0.43
56.0.43
54.0.36