CVE-2023-37495

Internet passwords stored in Person documents in the Domino® Directory created using the "Add Person" action on the People & Groups tab in the Domino® Administrator are secured using a cryptographically weak hash algorithm. This could enable attackers with access to the hashed value to determine a user's password, e.g. using a brute force attack. This issue does not impact Person documents created through user registration https://help.hcltechsw.com/domino/10.0.1/admin/conf_userregistration_c.html .

CVSS v3 5.9 MEDIUM

5.9^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 2.2 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity HIGH

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://support.hcltechsw.com/csm?id=kb_article&sysparm_article=KB0107585
https://support.hcltechsw.com/csm?id=kb_article&sysparm_article=KB0107585

Configurations

No configuration.

History

21 Nov 2024, 08:11

Type	Values Removed	Values Added
References	~~() https://support.hcltechsw.com/csm?id=kb_article&sysparm_article=KB0107585 -~~	() https://support.hcltechsw.com/csm?id=kb_article&sysparm_article=KB0107585 -

05 Nov 2024, 18:35

Type	Values Removed	Values Added
CWE		CWE-306

29 Feb 2024, 01:40

Type	Values Removed	Values Added
New CVE

Information

Published : 2024-02-29 01:40

Updated : 2024-11-21 08:11

NVD link : CVE-2023-37495

Mitre link : CVE-2023-37495

CVE.ORG link : CVE-2023-37495

JSON object : View

Products Affected

No product.

CWE

CWE-306

Missing Authentication for Critical Function

{"id": "CVE-2023-37495", "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "psirt@hcl.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.9, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 3.6, "exploitabilityScore": 2.2}, {"type": "Secondary", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.9, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 3.6, "exploitabilityScore": 2.2}]}, "published": "2024-02-29T01:40:04.220", "references": [{"url": "https://support.hcltechsw.com/csm?id=kb_article&sysparm_article=KB0107585", "source": "psirt@hcl.com"}, {"url": "https://support.hcltechsw.com/csm?id=kb_article&sysparm_article=KB0107585", "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Awaiting Analysis", "weaknesses": [{"type": "Secondary", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "description": [{"lang": "en", "value": "CWE-306"}]}], "descriptions": [{"lang": "en", "value": "Internet passwords stored in Person documents in the Domino\u00ae Directory created using the \"Add Person\" action on the People & Groups tab in the Domino\u00ae Administrator are secured using a cryptographically weak hash algorithm. This could enable attackers with access to the hashed value to determine a user's password, e.g. using a brute force attack. This issue does not impact Person documents created through user registration https://help.hcltechsw.com/domino/10.0.1/admin/conf_userregistration_c.html . \n"}, {"lang": "es", "value": "Las contrase\u00f1as de Internet almacenadas en documentos personales en el directorio de Domino\u00ae creado mediante la acci\u00f3n \"Agregar persona\" en la pesta\u00f1a Personas y grupos del Administrador de Domino\u00ae est\u00e1n protegidas mediante un algoritmo hash criptogr\u00e1ficamente d\u00e9bil. Esto podr\u00eda permitir a los atacantes con acceso al valor hash determinar la contrase\u00f1a de un usuario, por ejemplo, mediante un ataque de fuerza bruta. Este problema no afecta los documentos personales creados mediante el registro de usuario https://help.hcltechsw.com/domino/10.0.1/admin/conf_userregistration_c.html."}], "lastModified": "2024-11-21T08:11:49.717", "sourceIdentifier": "psirt@hcl.com"}