Skip to content

In CloudVision Portal (CVP) for all releases in the 2018...

Low severity Unreviewed Published May 24, 2022 to the GitHub Advisory Database • Updated Jan 29, 2023

Package

No package listedSuggest a package

Affected versions

Unknown

Patched versions

Unknown

Description

In CloudVision Portal (CVP) for all releases in the 2018.2 Train, under certain conditions, the application logs user passwords in plain text for certain API calls, potentially leading to user password exposure. This only affects CVP environments where: 1. Devices have enable mode passwords which are different from the user's login password, OR 2. There are configlet builders that use the Device class and specify username and password explicitly Application logs are not accessible or visible from the CVP GUI. Application logs can only be read by authorized users with privileged access to the VM hosting the CVP application.

References

Published by the National Vulnerability Database Dec 19, 2019
Published to the GitHub Advisory Database May 24, 2022
Last updated Jan 29, 2023

Severity

Low

EPSS score

0.065%
(29th percentile)

Weaknesses

CVE ID

CVE-2019-18615

GHSA ID

GHSA-jmhx-5gvj-3fgw

Source code

No known source code

Dependabot alerts are not supported on this advisory because it does not have a package from a supported ecosystem with an affected and fixed version.

Learn more about GitHub language support

Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.