CVE-2024-29954

A vulnerability in a password management API in Brocade Fabric OS versions before v9.2.1, v9.2.0b, v9.1.1d, and v8.2.3e prints sensitive information in log files. This could allow an authenticated user to view the server passwords for protocols such as scp and sftp. Detail. When the firmwaredownload command is incorrectly entered or points to an erroneous file, the firmware download log captures the failed command, including any password entered in the command line.
Configurations

Configuration 1 (hide)

OR cpe:2.3:o:broadcom:fabric_operating_system:*:*:*:*:*:*:*:*
cpe:2.3:o:broadcom:fabric_operating_system:*:*:*:*:*:*:*:*
cpe:2.3:o:broadcom:fabric_operating_system:*:*:*:*:*:*:*:*

History

06 Aug 2024, 16:07

Type Values Removed Values Added
References () https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/23226 - () https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/23226 - Vendor Advisory
CVSS v2 : unknown
v3 : 5.9
v2 : unknown
v3 : 5.5
CPE cpe:2.3:o:broadcom:fabric_operating_system:*:*:*:*:*:*:*:*
Summary
  • (es) Una vulnerabilidad en una API de administración de contraseñas en las versiones de Brocade Fabric OS anteriores a v9.2.1, v9.2.0b, v9.1.1d y v8.2.3e imprime información confidencial en archivos de registro. Esto podría permitir a un usuario autenticado ver las contraseñas del servidor para protocolos como scp y sftp. Detalle. Cuando el comando de descarga de firmware se ingresa incorrectamente o apunta a un archivo erróneo, el registro de descarga de firmware captura el comando fallido, incluida cualquier contraseña ingresada en la línea de comando.
First Time Broadcom
Broadcom fabric Operating System
CWE CWE-532

26 Jun 2024, 00:15

Type Values Removed Values Added
New CVE

Information

Published : 2024-06-26 00:15

Updated : 2024-08-06 16:07


NVD link : CVE-2024-29954

Mitre link : CVE-2024-29954

CVE.ORG link : CVE-2024-29954


JSON object : View

Products Affected

broadcom

  • fabric_operating_system
CWE
CWE-532

Insertion of Sensitive Information into Log File

CWE-312

Cleartext Storage of Sensitive Information