CVE-2020-16244
First published: Wed Sep 23 2020(Updated: )
GE Digital APM Classic, Versions 4.4 and prior. Salt is not used for hash calculation of passwords, making it possible to decrypt passwords. This design flaw, along with the IDOR vulnerability, puts the entire platform at high risk because an authenticated user can retrieve all user account data and then retrieve the actual passwords.
Credit: ics-cert@hq.dhs.gov
| Affected Software | Affected Version | How to fix |
|---|---|---|
| GE Digital APM Classic | ||
| GE Digital APM Classic | <=4.4 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is the severity of CVE-2020-16244?
CVE-2020-16244 is classified as a high severity vulnerability due to the risk of password decryption.
How do I fix CVE-2020-16244?
To remediate CVE-2020-16244, upgrade to a version of GE Digital APM Classic that is later than 4.4 which implements proper salt for password hashing.
What systems are affected by CVE-2020-16244?
CVE-2020-16244 affects GE Digital APM Classic, specifically versions 4.4 and prior.
What is the impact of CVE-2020-16244?
The impact of CVE-2020-16244 allows authenticated users to retrieve all user account data due to insecure password handling.
Is there a workaround for CVE-2020-16244?
Currently, there is no publicly disclosed workaround for CVE-2020-16244; the recommended action is to upgrade the software.
- agent/type
- collector/mitre-cve
- source/MITRE
- agent/author
- agent/weakness
- agent/last-modified-date
- agent/description
- agent/first-publish-date
- agent/references
- agent/severity
- agent/event
- agent/source
- collector/ics-cert-advisory
- source/ICS
- agent/software-canonical-lookup
- agent/software-canonical-lookup-request
- agent/softwarecombine
- agent/tags
- collector/nvd-index
- vendor/ge digital
- canonical/ge digital apm classic
- vendor/ge
- version/ge digital apm classic/4.4