#VU80784 Cleartext storage of sensitive information in Fujitsu products - CVE-2023-39903
Vulnerability identifier: #VU80784
Vulnerability risk: Low
CVSSv4.0: 3.5 [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:A/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N/E:U/U:Clear]
CVE-ID:
CWE-ID:
CWE-312
Exploitation vector: Local
Exploit availability: No
Vulnerable software:
Infrastructure Manager Advanced Edition
Server applications /
Other server solutions
Infrastructure Manager Advanced Edition for PRIMEFLEX
Server applications /
Other server solutions
Infrastructure Manager Essential Edition
Server applications /
Other server solutions
Vendor: Fujitsu
Description
The vulnerability allows a local user to gain access to potentially sensitive information.
The vulnerability exists due to cleartext storage of sensitive information in the ismsnap component. A local user can retrieve the password for the proxy server that is configured in ISM.
Mitigation
Install updates from vendor's website.
Vulnerable software versions
Infrastructure Manager Advanced Edition: 2.8.0.060
Infrastructure Manager Advanced Edition for PRIMEFLEX: 2.8.0.060
Infrastructure Manager Essential Edition: 2.8.0.060
External links
https://security.ts.fujitsu.com/ProductSecurity/content/Fujitsu-PSIRT-ISS-IS-2023-071410-Security-Notice.pdf
https://security.ts.fujitsu.com/IndexDownload.asp?SoftwareGuid=a0131919-6d84-43b4-800e-d7f78200a70f
https://www.cisa.gov/news-events/ics-advisories/icsa-23-255-02
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
