VAION-262: plaintext password in audit log when user changes their password
11th March 2020.
When a manually added user changes their password in �My profile�, their old password is shown in plaintext in the audit log.
- All versions up to and including 1.4.2.
- All 1.5 versions up to and including 1.5.1.
- All 1.4 versions from 1.4.3.
- All versions from 1.5.2.
- vcam: All versions.
- vcloud: All versions.
This issue has been fixed in vcore version 1.4.3 and 1.5.2.
We recommend that all vcore installations running an affected version upgrade to the latest release as soon as possible.
- CVE: Pending
- CVSSv3 score: 6.8 Medium
- CVSSv3 vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:N/A:N
This vulnerability can be mitigated by deleting the affected logs. Do this by connecting to the vcore SSH console and executing the following command (note that this will delete all logs):
vplat# advanced clear-logs
Issue found internally by Vaion.
- 09/03/2020 Issue found internally by Vaion
- 09/03/2020 Fix identified
- 11/03/2020 Patched vcore released
- 11/03/2020 Vulnerability publicly disclosed