Details of VAR-201905-0809

ID

VAR-201905-0809

CVE

CVE-2018-16988

TITLE

Open XDMoD Vulnerable to password management

Trust: 0.8

sources: JVNDB: JVNDB-2018-015306

DESCRIPTION

An issue was discovered in Open XDMoD through 7.5.0. An authentication bypass (account takeover) exists due to a weak password reset mechanism. A brute-force attack against an MD5 rid value requires only 600 guesses in the plausible situation where the attacker knows that the victim has started a password-reset process (pass_reset.php, password_reset.php, XDUser.php) in the past few minutes. Open XDMoD Contains a vulnerability related to the password management function.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. Open XDMoD is an open source tool for managing high-performance computing resources. There is an authorization problem vulnerability in Open XDMoD 7.5.0 and earlier versions. This vulnerability stems from the lack of authentication measures or insufficient authentication strength in network systems or products

Trust: 1.8

sources: NVD: CVE-2018-16988 // JVNDB: JVNDB-2018-015306 // VULHUB: VHN-127402 // VULMON: CVE-2018-16988

AFFECTED PRODUCTS

vendor:	xdmod	model:	open xdmod	scope:	eq	version:	7.5.0	Trust: 1.0
vendor:	xdmod	model:	open xdmod	scope:	lte	version:	7.0.1	Trust: 1.0
vendor:	university at buffalo	model:	open xdmod	scope:	lte	version:	7.5.0	Trust: 0.8

sources: JVNDB: JVNDB-2018-015306 // NVD: CVE-2018-16988

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2018-16988
value:	CRITICAL
Trust: 1.0
NVD:	CVE-2018-16988
value:	CRITICAL
Trust: 0.8
CNNVD:	CNNVD-201905-089
value:	CRITICAL
Trust: 0.6
VULHUB:	VHN-127402
value:	MEDIUM
Trust: 0.1
VULMON:	CVE-2018-16988
value:	MEDIUM
Trust: 0.1

nvd@nist.gov:	CVE-2018-16988
severity:	MEDIUM
baseScore:	5.0
vectorString:	AV:N/AC:L/AU:N/C:P/I:N/A:N
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	10.0
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.9
VULHUB:	VHN-127402
severity:	MEDIUM
baseScore:	5.0
vectorString:	AV:N/AC:L/AU:N/C:P/I:N/A:N
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	10.0
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

nvd@nist.gov:	CVE-2018-16988
baseSeverity:	CRITICAL
baseScore:	9.8
vectorString:	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	3.9
impactScore:	5.9
version:	3.1
Trust: 1.0
NVD:	CVE-2018-16988
baseSeverity:	CRITICAL
baseScore:	9.8
vectorString:	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8

sources: VULHUB: VHN-127402 // VULMON: CVE-2018-16988 // JVNDB: JVNDB-2018-015306 // CNNVD: CNNVD-201905-089 // NVD: CVE-2018-16988

PROBLEMTYPE DATA

problemtype:

CWE-640

Trust: 1.9

sources: VULHUB: VHN-127402 // JVNDB: JVNDB-2018-015306 // NVD: CVE-2018-16988

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201905-089

TYPE

authorization issue

Trust: 0.6

sources: CNNVD: CNNVD-201905-089

CONFIGURATIONS

sources: JVNDB: JVNDB-2018-015306

PATCH

title:	Top Page	url:	http://www.buffalo.edu/ccr.html	Trust: 0.8
title:	Open XDMoD Remediation measures for authorization problem vulnerabilities	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=92216	Trust: 0.6
title:	CVE	url:	https://github.com/grymer/CVE	Trust: 0.1

sources: VULMON: CVE-2018-16988 // JVNDB: JVNDB-2018-015306 // CNNVD: CNNVD-201905-089

EXTERNAL IDS

db:	NVD	id:	CVE-2018-16988	Trust: 2.6
db:	JVNDB	id:	JVNDB-2018-015306	Trust: 0.8
db:	CNNVD	id:	CNNVD-201905-089	Trust: 0.7
db:	VULHUB	id:	VHN-127402	Trust: 0.1
db:	VULMON	id:	CVE-2018-16988	Trust: 0.1

sources: VULHUB: VHN-127402 // VULMON: CVE-2018-16988 // JVNDB: JVNDB-2018-015306 // CNNVD: CNNVD-201905-089 // NVD: CVE-2018-16988

REFERENCES

url:	https://github.com/grymer/cve/blob/master/cve-2018-16988.md	Trust: 2.6
url:	https://nvd.nist.gov/vuln/detail/cve-2018-16988	Trust: 1.4
url:	https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2018-16988	Trust: 0.8
url:	https://cwe.mitre.org/data/definitions/640.html	Trust: 0.1
url:	https://nvd.nist.gov	Trust: 0.1
url:	https://github.com/grymer/cve	Trust: 0.1

sources: VULHUB: VHN-127402 // VULMON: CVE-2018-16988 // JVNDB: JVNDB-2018-015306 // CNNVD: CNNVD-201905-089 // NVD: CVE-2018-16988

SOURCES

db:	VULHUB	id:	VHN-127402
db:	VULMON	id:	CVE-2018-16988
db:	JVNDB	id:	JVNDB-2018-015306
db:	CNNVD	id:	CNNVD-201905-089
db:	NVD	id:	CVE-2018-16988

LAST UPDATE DATE

2024-11-23T22:41:30.161000+00:00

SOURCES UPDATE DATE

db:	VULHUB	id:	VHN-127402	date:	2020-01-02T00:00:00
db:	VULMON	id:	CVE-2018-16988	date:	2020-01-02T00:00:00
db:	JVNDB	id:	JVNDB-2018-015306	date:	2019-05-23T00:00:00
db:	CNNVD	id:	CNNVD-201905-089	date:	2019-05-08T00:00:00
db:	NVD	id:	CVE-2018-16988	date:	2024-11-21T03:53:39.690

SOURCES RELEASE DATE

db:	VULHUB	id:	VHN-127402	date:	2019-05-02T00:00:00
db:	VULMON	id:	CVE-2018-16988	date:	2019-05-02T00:00:00
db:	JVNDB	id:	JVNDB-2018-015306	date:	2019-05-23T00:00:00
db:	CNNVD	id:	CNNVD-201905-089	date:	2019-05-02T00:00:00
db:	NVD	id:	CVE-2018-16988	date:	2019-05-02T20:29:00.617