McAfee ePO Information Leak vulnerability
CVE-2021-23890

6.5MEDIUM

Key Information:

Vendor: Mcafee,llc
Status: Mcafee Epolicy Orchestrator (epo)
Vendor: CVE Published:; 26 March 2021

Summary

Information leak vulnerability in the Agent Handler of McAfee ePolicy Orchestrator (ePO) prior to 5.10 Update 10 allows an unauthenticated user to download McAfee product packages (specifically McAfee Agent) available in ePO repository and install them on their own machines to have it managed and then in turn get policy details from the ePO server. This can only happen when the ePO Agent Handler is installed in a Demilitarized Zone (DMZ) to service machines not connected to the network through a VPN.

Affected Version(s)

McAfee ePolicy Orchestrator (ePO) < 5.10 CU 10

References

https://kc.mcafee.com/corporate/index?page=content&id=SB1...

x_refsource_CONFIRM

CVSS V3.1

Score:

6.5

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Mar 26, 2021
Vulnerability Reserved
Jan 12, 2021