CVE-2021-23890: McAfee ePO Information Leak vulnerability
First published: Fri Mar 26 2021(Updated: )
Information leak vulnerability in the Agent Handler of McAfee ePolicy Orchestrator (ePO) prior to 5.10 Update 10 allows an unauthenticated user to download McAfee product packages (specifically McAfee Agent) available in ePO repository and install them on their own machines to have it managed and then in turn get policy details from the ePO server. This can only happen when the ePO Agent Handler is installed in a Demilitarized Zone (DMZ) to service machines not connected to the network through a VPN.
Credit: psirt@mcafee.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| McAfee ePolicy Orchestrator | <5.9.1 | |
| McAfee ePolicy Orchestrator | =5.10.0 | |
| McAfee ePolicy Orchestrator | =5.10.0-update_1 | |
| McAfee ePolicy Orchestrator | =5.10.0-update_2 | |
| McAfee ePolicy Orchestrator | =5.10.0-update_3 | |
| McAfee ePolicy Orchestrator | =5.10.0-update_4 | |
| McAfee ePolicy Orchestrator | =5.10.0-update_5 | |
| McAfee ePolicy Orchestrator | =5.10.0-update_6 | |
| McAfee ePolicy Orchestrator | =5.10.0-update_7 | |
| McAfee ePolicy Orchestrator | =5.10.0-update_8 | |
| McAfee ePolicy Orchestrator | =5.10.0-update_9 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Frequently Asked Questions
What is CVE-2021-23890?
CVE-2021-23890 is an information leak vulnerability in the Agent Handler of McAfee ePolicy Orchestrator (ePO) prior to version 5.10 Update 10.
What is the severity of CVE-2021-23890?
The severity of CVE-2021-23890 is medium with a CVSS score of 6.5.
Which software versions are affected by CVE-2021-23890?
CVE-2021-23890 affects McAfee ePolicy Orchestrator (ePO) versions prior to 5.10 Update 10.
How does CVE-2021-23890 work?
CVE-2021-23890 allows an unauthenticated user to download McAfee product packages (specifically McAfee Agent) available in the ePO repository and install them on their own machines.
Is there a fix for CVE-2021-23890?
Yes, upgrading to McAfee ePolicy Orchestrator (ePO) version 5.10 Update 10 or later resolves the vulnerability.
- collector/nvd-index
- agent/type
- agent/softwarecombine
- collector/mitre-cve
- source/MITRE
- agent/severity
- agent/title
- agent/remedy
- agent/references
- agent/weakness
- agent/last-modified-date
- agent/author
- agent/tags
- agent/description
- agent/event
- agent/first-publish-date
- vendor/mcafee
- canonical/mcafee epolicy orchestrator
- version/mcafee epolicy orchestrator/5.10.0
- version/mcafee epolicy orchestrator/5.10.0-update_1
- version/mcafee epolicy orchestrator/5.10.0-update_2
- version/mcafee epolicy orchestrator/5.10.0-update_3
- version/mcafee epolicy orchestrator/5.10.0-update_4
- version/mcafee epolicy orchestrator/5.10.0-update_5
- version/mcafee epolicy orchestrator/5.10.0-update_6
- version/mcafee epolicy orchestrator/5.10.0-update_7
- version/mcafee epolicy orchestrator/5.10.0-update_8
- version/mcafee epolicy orchestrator/5.10.0-update_9