Insecure Credential Storage in Fujitsu Software Infrastructure Manager
CVE-2023-39903

5.9MEDIUM

Key Information:

Vendor: Fujitsu
Status: Software Infrastructure Manager
Vendor: CVE Published:; 7 August 2023

What is CVE-2023-39903?

A vulnerability has been identified in Fujitsu Software Infrastructure Manager (ISM) versions prior to 2.8.0.061. This issue arises from the ismsnap component's inadequate handling of authorization credentials, which are stored in cleartext within the FirmwareManagement.log file. This occurs specifically during the setup testing of the ISM Firmware Repository Address or while authenticating with a configured remote firmware repository. An authorized attacker could exploit this vulnerability to collect sensitive maintenance data by leveraging the same privileges as trusted users. The vulnerability is particularly exploitable when both the Download Firmware function is enabled and the backslash character is present in user credentials for remote proxy host or firmware repository server configurations. Organizations using affected versions should review their configurations and apply the latest updates to mitigate risks.

References

https://security.ts.fujitsu.com/ProductSecurity/content/F...

https://security.ts.fujitsu.com/IndexDownload.asp?Softwar...

CVSS V3.1

Score:

5.9

Severity:

MEDIUM

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Local

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

Required

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Aug 7, 2023
Vulnerability Reserved
Aug 7, 2023

JSON