Sign-up

ID

VAR-200909-0306


CVE

CVE-2009-2201


TITLE

Apple Xsan Admin Error Message Information Disclosure Vulnerability

Trust: 0.9

sources: BID: 36385 // CNNVD: CNNVD-200909-285

DESCRIPTION

The screensharing feature in the Admin application in Apple Xsan before 2.2 places a cleartext username and password in a URL within an error dialog, which allows physically proximate attackers to obtain credentials by reading this dialog. Apple Xsan is prone to an information-disclosure vulnerability affecting the Xsan Admin component. Successful exploits may allow attackers with physical access to an affected computer to obtain password data. Information harvested may aid in launching further attacks. Versions prior to Xsan 2.2 are vulnerable. Xsan is an enterprise-class storage network solution, and Xsan Admin is an application for simplifying SAN management. ---------------------------------------------------------------------- Do you have VARM strategy implemented? (Vulnerability Assessment Remediation Management) If not, then implement it through the most reliable vulnerability intelligence source on the market. Implement it through Secunia. For more information visit: http://secunia.com/advisories/business_solutions/ Alternatively request a call from a Secunia representative today to discuss how we can help you with our capabilities contact us at: sales@secunia.com ---------------------------------------------------------------------- TITLE: Apple Xsan Admin Connection URL Username/Password Disclosure SECUNIA ADVISORY ID: SA36673 VERIFY ADVISORY: http://secunia.com/advisories/36673/ DESCRIPTION: A security issue has been reported in Xsan, which may disclose sensitive information to malicious people with physical access to a system. Any person able to see the user's display could gain knowledge of this information. SOLUTION: Update to version 2.2. PROVIDED AND/OR DISCOVERED BY: The vendor credits Ben Greisler, Kadimac Corp Macintosh Integrators. ORIGINAL ADVISORY: http://support.apple.com/kb/HT3797 ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Trust: 2.07

sources: NVD: CVE-2009-2201 // JVNDB: JVNDB-2009-002144 // BID: 36385 // VULHUB: VHN-39647 // PACKETSTORM: 81342

AFFECTED PRODUCTS

vendor:applemodel:xsanscope:eqversion:1.2

Trust: 1.6

vendor:applemodel:xsanscope:eqversion:1.0

Trust: 1.6

vendor:applemodel:xsanscope:eqversion:1.3

Trust: 1.6

vendor:applemodel:xsanscope:lteversion:2.1.1

Trust: 1.0

vendor:applemodel:xsanscope:eqversion:2.1.1

Trust: 0.9

vendor:applemodel:mac os xscope:eqversion:v10.5.8

Trust: 0.8

vendor:applemodel:mac os x serverscope:eqversion:v10.5.8

Trust: 0.8

vendor:applemodel:xsanscope:ltversion:2.2

Trust: 0.8

vendor:applemodel:xsanscope:neversion:2.2

Trust: 0.3

sources: BID: 36385 // JVNDB: JVNDB-2009-002144 // CNNVD: CNNVD-200909-285 // NVD: CVE-2009-2201

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2009-2201
value: LOW

Trust: 1.0

NVD: CVE-2009-2201
value: LOW

Trust: 0.8

CNNVD: CNNVD-200909-285
value: LOW

Trust: 0.6

VULHUB: VHN-39647
value: LOW

Trust: 0.1

nvd@nist.gov: CVE-2009-2201
severity: LOW
baseScore: 2.1
vectorString: AV:L/AC:L/AU:N/C:P/I:N/A:N
accessVector: LOCAL
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 3.9
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

VULHUB: VHN-39647
severity: LOW
baseScore: 2.1
vectorString: AV:L/AC:L/AU:N/C:P/I:N/A:N
accessVector: LOCAL
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 3.9
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

sources: VULHUB: VHN-39647 // JVNDB: JVNDB-2009-002144 // CNNVD: CNNVD-200909-285 // NVD: CVE-2009-2201

PROBLEMTYPE DATA

problemtype:CWE-310

Trust: 1.9

sources: VULHUB: VHN-39647 // JVNDB: JVNDB-2009-002144 // NVD: CVE-2009-2201

THREAT TYPE

local

Trust: 0.9

sources: BID: 36385 // CNNVD: CNNVD-200909-285

TYPE

encryption problem

Trust: 0.6

sources: CNNVD: CNNVD-200909-285

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2009-002144

PATCH
title:HT3797url:http://support.apple.com/kb/HT3797
Trust: 0.8
title:HT3797url:http://support.apple.com/kb/HT3797?viewlocale=ja_JP
Trust: 0.8
sources:
            
            
            JVNDB: JVNDB-2009-002144

EXTERNAL IDS
db:NVDid:CVE-2009-2201
Trust: 2.8
db:BIDid:36385
Trust: 2.8
db:SECUNIAid:36673
Trust: 2.6
db:OSVDBid:58133
Trust: 2.5
db:VUPENid:ADV-2009-2644
Trust: 2.5
db:SECTRACKid:1022904
Trust: 2.5
db:XFid:53232
Trust: 1.4
db:JVNDBid:JVNDB-2009-002144
Trust: 0.8
db:CNNVDid:CNNVD-200909-285
Trust: 0.7
db:APPLEid:APPLE-SA-2009-09-14-1
Trust: 0.6
db:VULHUBid:VHN-39647
Trust: 0.1
db:PACKETSTORMid:81342
Trust: 0.1
sources:
            
            
            VULHUB: VHN-39647 // 
            
            
            
            BID: 36385 // 
            
            
            
            JVNDB: JVNDB-2009-002144 // 
            
            
            
            PACKETSTORM: 81342 // 
            
            
            
            CNNVD: CNNVD-200909-285 // 
            
            
            
            NVD: CVE-2009-2201

REFERENCES
url:http://www.securityfocus.com/bid/36385
Trust: 2.5
url:http://osvdb.org/58133
Trust: 2.5
url:http://www.securitytracker.com/id?1022904
Trust: 2.5
url:http://secunia.com/advisories/36673
Trust: 2.5
url:http://www.vupen.com/english/advisories/2009/2644
Trust: 2.5
url:http://support.apple.com/kb/ht3797
Trust: 1.8
url:http://lists.apple.com/archives/security-announce/2009/sep/msg00005.html
Trust: 1.7
url:http://xforce.iss.net/xforce/xfdb/53232
Trust: 1.4
url:https://exchange.xforce.ibmcloud.com/vulnerabilities/53232
Trust: 1.1
url:http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2009-2201
Trust: 0.8
url:http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2009-2201
Trust: 0.8
url:http://www.apple.com/xsan/
Trust: 0.3
url:http://secunia.com/advisories/36673/
Trust: 0.1
url:http://secunia.com/advisories/secunia_security_advisories/
Trust: 0.1
url:http://secunia.com/advisories/business_solutions/
Trust: 0.1
url:http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
Trust: 0.1
url:http://secunia.com/advisories/about_secunia_advisories/
Trust: 0.1
sources:
            
            
            VULHUB: VHN-39647 // 
            
            
            
            BID: 36385 // 
            
            
            
            JVNDB: JVNDB-2009-002144 // 
            
            
            
            PACKETSTORM: 81342 // 
            
            
            
            CNNVD: CNNVD-200909-285 // 
            
            
            
            NVD: CVE-2009-2201

CREDITS
Ben Greisler
Trust: 0.6
sources:
            
            
            CNNVD: CNNVD-200909-285

SOURCES
db:VULHUBid:VHN-39647
db:BIDid:36385
db:JVNDBid:JVNDB-2009-002144
db:PACKETSTORMid:81342
db:CNNVDid:CNNVD-200909-285
db:NVDid:CVE-2009-2201

LAST UPDATE DATE
2025-04-10T23:19:41.311000+00:00

SOURCES UPDATE DATE
db:VULHUBid:VHN-39647date:2017-08-17T00:00:00
db:BIDid:36385date:2009-09-14T19:11:00
db:JVNDBid:JVNDB-2009-002144date:2009-10-26T00:00:00
db:CNNVDid:CNNVD-200909-285date:2009-09-19T00:00:00
db:NVDid:CVE-2009-2201date:2025-04-09T00:30:58.490

SOURCES RELEASE DATE
db:VULHUBid:VHN-39647date:2009-09-15T00:00:00
db:BIDid:36385date:2009-09-14T00:00:00
db:JVNDBid:JVNDB-2009-002144date:2009-10-26T00:00:00
db:PACKETSTORMid:81342date:2009-09-15T10:51:36
db:CNNVDid:CNNVD-200909-285date:2009-09-15T00:00:00
db:NVDid:CVE-2009-2201date:2009-09-15T22:30:00.203