CVE-2024-29954: password management API prints sensitive information in log files
First published: Tue Jun 25 2024(Updated: )
A vulnerability in a password management API in Brocade Fabric OS versions before v9.2.1, v9.2.0b, v9.1.1d, and v8.2.3e prints sensitive information in log files. This could allow an authenticated user to view the server passwords for protocols such as scp and sftp. Detail. When the firmwaredownload command is incorrectly entered or points to an erroneous file, the firmware download log captures the failed command, including any password entered in the command line.
Credit: sirt@brocade.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Broadcom Fabric Operating System | <8.2.3e | |
| Broadcom Fabric Operating System | >=9.0.1<9.1.1d | |
| Broadcom Fabric Operating System | >=9.2.0<9.2.0b |
Remedy
Security update provided in Brocade Fabric OS v9.2.1, v9.2.0b, v9.1.1d, v8.2.3e
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- agent/title
- agent/references
- agent/remedy
- agent/description
- agent/type
- agent/first-publish-date
- agent/author
- agent/event
- collector/mitre-cve
- source/MITRE
- collector/nvd-api
- source/NVD
- agent/software-canonical-lookup
- agent/last-modified-date
- agent/weakness
- agent/severity
- agent/softwarecombine
- agent/tags
- vendor/broadcom
- canonical/broadcom fabric operating system
- version/broadcom fabric operating system/9.0.1
- version/broadcom fabric operating system/9.2.0