Description

Passwords are stored in clear-text logs. An attacker can retrieve passwords. As for the affected productsmodelsversions, see the reference URL.

Classification

Assigner: ecc0f906-8666-484c-bcf8-c3b7520a72f0

CWE: CWE-532

Links
CPEs
  • toshibatec product1 version1
  • toshibatec product2 version2

CVSS

CVSS version: 3.1 Base score: 6.2
Base severity: MEDIUM Vector: AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Exploitability score: 2.5 Impact score: 3.6

Can you explain the CVE description?

This CVE description is for CVE-2024-27154, which has a CVSS score of 6.2, indicating a medium severity level. The vulnerability involves passwords being stored in clear-text logs, which can be accessed by attackers. The affected products, models, and versions are not specified in the description but can be found in the reference URLs provided. The vulnerability was published on June 14, 2024, and is currently in the EARLY_WARNING status. The CWE associated with this vulnerability is CWE-532, which relates to the storage of sensitive information in an insecure manner. The CVSS vector for this vulnerability is AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N, indicating that the vulnerability requires local access, has low complexity to exploit, does not require user interaction, has no impact on confidentiality, and has no impact on integrity or availability. There are several reference URLs provided for more information on this vulnerability, including links to the Japan Vulnerability Notes (JVN) and Toshibas official information page and PDF document. The exploitability score for this vulnerability is 2.5, and the impact score is 3.6. The assigner of this CVE is identified as ecc0f906-8666-484c-bcf8-c3b7520a72f0.

How can this vulnerability be part of an attack tree?

This vulnerability can be part of an attack tree by being used as a stepping stone for further attacks. For example, an attacker could exploit this vulnerability to retrieve passwords from clear-text logs, and then use those passwords to gain unauthorized access to sensitive systems or accounts within the affected products/models/versions. This could lead to further data breaches, unauthorized actions, or even complete system compromise. The attacker could also potentially use the retrieved passwords for phishing attacks or other social engineering tactics to deceive users and gain access to additional information or resources.


Generated on: 2024-07-05