Search criteria
12 vulnerabilities found for BigFix Compliance by HCL Software
CVE-2024-30142 (GCVE-0-2024-30142)
Vulnerability from cvelistv5 – Published: 2024-11-07 08:58 – Updated: 2024-11-07 14:28
VLAI?
Title
HCL BigFix Compliance is affected by a missing secure flag on a cookie
Summary
HCL BigFix Compliance is affected by a missing secure flag on a cookie. If a secure flag is not set, cookies may be stolen by an attacker using XSS, resulting in unauthorized access or session cookies could be transferred over an unencrypted channel.
Severity ?
CWE
- CWE-614 - Sensitive Cookie in HTTPS Session Without 'Secure' Attribute
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| HCL Software | BigFix Compliance |
Affected:
2.0.11
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-30142",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-11-07T14:28:01.768372Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-11-07T14:28:08.789Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "BigFix Compliance",
"vendor": "HCL Software",
"versions": [
{
"status": "affected",
"version": "2.0.11"
}
]
}
],
"datePublic": "2024-11-07T07:50:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eHCL BigFix Compliance is affected by a missing secure flag on a cookie. If a secure flag is not set, cookies may be stolen by an attacker using XSS, resulting in unauthorized access or session cookies could be transferred over an unencrypted channel.\u003c/span\u003e\u003cbr\u003e"
}
],
"value": "HCL BigFix Compliance is affected by a missing secure flag on a cookie. If a secure flag is not set, cookies may be stolen by an attacker using XSS, resulting in unauthorized access or session cookies could be transferred over an unencrypted channel."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "LOW",
"baseScore": 3.8,
"baseSeverity": "LOW",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-614",
"description": "CWE-614 Sensitive Cookie in HTTPS Session Without \u0027Secure\u0027 Attribute",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-11-07T08:59:01.192Z",
"orgId": "1e47fe04-f25f-42fa-b674-36de2c5e3cfc",
"shortName": "HCL"
},
"references": [
{
"url": "https://support.hcl-software.com/csm?id=kb_article\u0026sysparm_article=KB0117197"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "HCL BigFix Compliance is affected by a missing secure flag on a cookie",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "1e47fe04-f25f-42fa-b674-36de2c5e3cfc",
"assignerShortName": "HCL",
"cveId": "CVE-2024-30142",
"datePublished": "2024-11-07T08:58:42.811Z",
"dateReserved": "2024-03-22T23:57:24.981Z",
"dateUpdated": "2024-11-07T14:28:08.789Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-30141 (GCVE-0-2024-30141)
Vulnerability from cvelistv5 – Published: 2024-11-07 08:36 – Updated: 2024-11-07 14:28
VLAI?
Title
HCL BigFix Compliance is vulnerable to the generation of error messages containing sensitive information
Summary
HCL BigFix Compliance is vulnerable to the generation of error messages containing sensitive information. Detailed error messages can provide enticement information or expose information about its environment, users, or associated data.
Severity ?
4.7 (Medium)
CWE
- CWE-209 - Generation of Error Message Containing Sensitive Information
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| HCL Software | BigFix Compliance |
Affected:
2.0.11
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-30141",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-11-07T14:28:21.005823Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-11-07T14:28:28.086Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "BigFix Compliance",
"vendor": "HCL Software",
"versions": [
{
"status": "affected",
"version": "2.0.11"
}
]
}
],
"datePublic": "2024-11-07T07:50:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eHCL BigFix Compliance is vulnerable to the generation of error messages containing sensitive information. Detailed error messages can provide enticement information or expose information about its environment, users, or associated data.\u003c/span\u003e\u003cbr\u003e"
}
],
"value": "HCL BigFix Compliance is vulnerable to the generation of error messages containing sensitive information. Detailed error messages can provide enticement information or expose information about its environment, users, or associated data."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 4.7,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:N/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-209",
"description": "CWE-209 Generation of Error Message Containing Sensitive Information",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-11-07T08:36:13.573Z",
"orgId": "1e47fe04-f25f-42fa-b674-36de2c5e3cfc",
"shortName": "HCL"
},
"references": [
{
"url": "https://support.hcl-software.com/csm?id=kb_article\u0026sysparm_article=KB0117197"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "HCL BigFix Compliance is vulnerable to the generation of error messages containing sensitive information",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "1e47fe04-f25f-42fa-b674-36de2c5e3cfc",
"assignerShortName": "HCL",
"cveId": "CVE-2024-30141",
"datePublished": "2024-11-07T08:36:13.573Z",
"dateReserved": "2024-03-22T23:57:24.981Z",
"dateUpdated": "2024-11-07T14:28:28.086Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-30140 (GCVE-0-2024-30140)
Vulnerability from cvelistv5 – Published: 2024-11-07 08:17 – Updated: 2024-11-07 14:28
VLAI?
Title
HCL BigFix Compliance is affected by unvalidated redirects and forwards
Summary
HCL BigFix Compliance is affected by unvalidated redirects and forwards. The HOST header can be manipulated by an attacker and as a result, it can poison the web cache and provide back to users being served the page.
Severity ?
5.4 (Medium)
CWE
- CWE-601 - URL Redirection to Untrusted Site ('Open Redirect')
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| HCL Software | BigFix Compliance |
Affected:
2.0.11
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-30140",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-11-07T14:28:39.480382Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-11-07T14:28:47.434Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "BigFix Compliance",
"vendor": "HCL Software",
"versions": [
{
"status": "affected",
"version": "2.0.11"
}
]
}
],
"datePublic": "2024-11-07T07:50:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eHCL BigFix Compliance is affected by unvalidated redirects and forwards. The HOST header can be manipulated by an attacker and as a result, it can poison the web cache and provide back to users being served the page.\u003c/span\u003e\u003cbr\u003e"
}
],
"value": "HCL BigFix Compliance is affected by unvalidated redirects and forwards. The HOST header can be manipulated by an attacker and as a result, it can poison the web cache and provide back to users being served the page."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:N/I:L/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-601",
"description": "CWE-601 URL Redirection to Untrusted Site (\u0027Open Redirect\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-11-07T08:17:56.737Z",
"orgId": "1e47fe04-f25f-42fa-b674-36de2c5e3cfc",
"shortName": "HCL"
},
"references": [
{
"url": "https://support.hcl-software.com/csm?id=kb_article\u0026sysparm_article=KB0117197"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "HCL BigFix Compliance is affected by unvalidated redirects and forwards",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "1e47fe04-f25f-42fa-b674-36de2c5e3cfc",
"assignerShortName": "HCL",
"cveId": "CVE-2024-30140",
"datePublished": "2024-11-07T08:17:56.737Z",
"dateReserved": "2024-03-22T23:57:24.980Z",
"dateUpdated": "2024-11-07T14:28:47.434Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-30126 (GCVE-0-2024-30126)
Vulnerability from cvelistv5 – Published: 2024-07-18 19:17 – Updated: 2024-10-30 16:24
VLAI?
Title
HCL BigFix Compliance is affected by a missing X-Frame-Options Header vulnerability
Summary
HCL BigFix Compliance is affected by a missing X-Frame-Options HTTP header which can allow an attacker to create a malicious website that embeds the target website in a frame or iframe, tricking users into performing actions on the target website without their knowledge.
Severity ?
4.7 (Medium)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| HCL Software | BigFix Compliance |
Affected:
2.0.x
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-30126",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-07-18T20:04:54.543941Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-10-30T16:24:33.273Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T01:25:02.931Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://support.hcltechsw.com/csm?id=kb_article\u0026sysparm_article=KB0113886"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "BigFix Compliance",
"vendor": "HCL Software",
"versions": [
{
"status": "affected",
"version": "2.0.x"
}
]
}
],
"datePublic": "2024-07-18T17:40:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eHCL BigFix Compliance is affected by a missing X-Frame-Options HTTP header which can allow an attacker to create a malicious website that embeds the target website in a frame or iframe, tricking users into performing actions on the target website without their knowledge.\u003c/span\u003e\u003cbr\u003e"
}
],
"value": "HCL BigFix Compliance is affected by a missing X-Frame-Options HTTP header which can allow an attacker to create a malicious website that embeds the target website in a frame or iframe, tricking users into performing actions on the target website without their knowledge."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.7,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-07-18T19:17:01.983Z",
"orgId": "1e47fe04-f25f-42fa-b674-36de2c5e3cfc",
"shortName": "HCL"
},
"references": [
{
"url": "https://support.hcltechsw.com/csm?id=kb_article\u0026sysparm_article=KB0113886"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "HCL BigFix Compliance is affected by a missing X-Frame-Options Header vulnerability",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "1e47fe04-f25f-42fa-b674-36de2c5e3cfc",
"assignerShortName": "HCL",
"cveId": "CVE-2024-30126",
"datePublished": "2024-07-18T19:17:01.983Z",
"dateReserved": "2024-03-22T23:57:23.589Z",
"dateUpdated": "2024-10-30T16:24:33.273Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-30125 (GCVE-0-2024-30125)
Vulnerability from cvelistv5 – Published: 2024-07-18 17:59 – Updated: 2024-11-12 20:40
VLAI?
Title
HCL BigFix Compliance is affected by an internal server error
Summary
HCL BigFix Compliance server can respond with an HTTP status of 500, indicating a server-side error that may cause the server process to die.
Severity ?
6.2 (Medium)
CWE
- CWE-918 - Server-Side Request Forgery (SSRF)
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| HCL Software | BigFix Compliance |
Affected:
2.0.x
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-30125",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-07-19T17:22:43.393215Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-918",
"description": "CWE-918 Server-Side Request Forgery (SSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-11-12T20:40:57.871Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T01:25:02.997Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://support.hcltechsw.com/csm?id=kb_article\u0026sysparm_article=KB0113886"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "BigFix Compliance",
"vendor": "HCL Software",
"versions": [
{
"status": "affected",
"version": "2.0.x"
}
]
}
],
"datePublic": "2024-07-18T17:40:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eHCL BigFix Compliance server can respond with an HTTP status of 500, indicating a server-side error that may cause the server process to die.\u003c/span\u003e\u003cbr\u003e"
}
],
"value": "HCL BigFix Compliance server can respond with an HTTP status of 500, indicating a server-side error that may cause the server process to die."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "LOW",
"baseScore": 6.2,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:H/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-07-18T19:21:24.064Z",
"orgId": "1e47fe04-f25f-42fa-b674-36de2c5e3cfc",
"shortName": "HCL"
},
"references": [
{
"url": "https://support.hcltechsw.com/csm?id=kb_article\u0026sysparm_article=KB0113886"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "HCL BigFix Compliance is affected by an internal server error",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "1e47fe04-f25f-42fa-b674-36de2c5e3cfc",
"assignerShortName": "HCL",
"cveId": "CVE-2024-30125",
"datePublished": "2024-07-18T17:59:48.338Z",
"dateReserved": "2024-03-22T23:57:22.507Z",
"dateUpdated": "2024-11-12T20:40:57.871Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-23551 (GCVE-0-2024-23551)
Vulnerability from cvelistv5 – Published: 2024-05-07 21:46 – Updated: 2024-08-01 23:06
VLAI?
Title
HCL BigFix Compliance is potentially affected by Oracle database credentials stored at endpoint
Summary
Database scanning using username and password stores the credentials in plaintext or encoded format within files at the endpoint. This has been identified as a significant security risk. This will lead to exposure of sensitive information for unauthorized access, potentially leading to severe consequences such as data breaches, unauthorized data manipulation, and compromised system integrity.
Severity ?
6.5 (Medium)
CWE
- CWE-522 - Insufficiently Protected Credentials
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| HCL Software | BigFix Compliance |
Affected:
v9.x, v10.x, v11.x
|
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:hcltech:bigfix_compliance:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "bigfix_compliance",
"vendor": "hcltech",
"versions": [
{
"lessThanOrEqual": "9.5.25.11",
"status": "affected",
"version": "9.0.835.0",
"versionType": "custom"
},
{
"lessThanOrEqual": "10.0.5.0",
"status": "affected",
"version": "10.0.0.133",
"versionType": "custom"
},
{
"lessThanOrEqual": "11.0.2.125",
"status": "affected",
"version": "11.0.0.175",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-23551",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-07-19T13:14:36.472135Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-07-31T13:52:12.348Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-01T23:06:25.195Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://support.hcltechsw.com/csm?id=kb_article\u0026sysparm_article=KB0112963"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "BigFix Compliance",
"vendor": "HCL Software",
"versions": [
{
"status": "affected",
"version": "v9.x, v10.x, v11.x"
}
]
}
],
"datePublic": "2024-05-07T21:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Database scanning using username and password stores the credentials in\u0026nbsp;plaintext or encoded format within files at the endpoint. This has been identified as a significant\u0026nbsp;security risk. This will lead to exposure of sensitive information for unauthorized access,\u0026nbsp;potentially leading to severe consequences such as data breaches, unauthorized data\u0026nbsp;manipulation, and compromised system integrity."
}
],
"value": "Database scanning using username and password stores the credentials in\u00a0plaintext or encoded format within files at the endpoint. This has been identified as a significant\u00a0security risk. This will lead to exposure of sensitive information for unauthorized access,\u00a0potentially leading to severe consequences such as data breaches, unauthorized data\u00a0manipulation, and compromised system integrity."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-522",
"description": "CWE-522 Insufficiently Protected Credentials",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-05-07T21:46:54.285Z",
"orgId": "1e47fe04-f25f-42fa-b674-36de2c5e3cfc",
"shortName": "HCL"
},
"references": [
{
"url": "https://support.hcltechsw.com/csm?id=kb_article\u0026sysparm_article=KB0112963"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "HCL BigFix Compliance is potentially affected by Oracle database credentials stored at endpoint",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "1e47fe04-f25f-42fa-b674-36de2c5e3cfc",
"assignerShortName": "HCL",
"cveId": "CVE-2024-23551",
"datePublished": "2024-05-07T21:46:54.285Z",
"dateReserved": "2024-01-18T07:29:53.325Z",
"dateUpdated": "2024-08-01T23:06:25.195Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-30142 (GCVE-0-2024-30142)
Vulnerability from nvd – Published: 2024-11-07 08:58 – Updated: 2024-11-07 14:28
VLAI?
Title
HCL BigFix Compliance is affected by a missing secure flag on a cookie
Summary
HCL BigFix Compliance is affected by a missing secure flag on a cookie. If a secure flag is not set, cookies may be stolen by an attacker using XSS, resulting in unauthorized access or session cookies could be transferred over an unencrypted channel.
Severity ?
CWE
- CWE-614 - Sensitive Cookie in HTTPS Session Without 'Secure' Attribute
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| HCL Software | BigFix Compliance |
Affected:
2.0.11
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-30142",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-11-07T14:28:01.768372Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-11-07T14:28:08.789Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "BigFix Compliance",
"vendor": "HCL Software",
"versions": [
{
"status": "affected",
"version": "2.0.11"
}
]
}
],
"datePublic": "2024-11-07T07:50:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eHCL BigFix Compliance is affected by a missing secure flag on a cookie. If a secure flag is not set, cookies may be stolen by an attacker using XSS, resulting in unauthorized access or session cookies could be transferred over an unencrypted channel.\u003c/span\u003e\u003cbr\u003e"
}
],
"value": "HCL BigFix Compliance is affected by a missing secure flag on a cookie. If a secure flag is not set, cookies may be stolen by an attacker using XSS, resulting in unauthorized access or session cookies could be transferred over an unencrypted channel."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "LOW",
"baseScore": 3.8,
"baseSeverity": "LOW",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-614",
"description": "CWE-614 Sensitive Cookie in HTTPS Session Without \u0027Secure\u0027 Attribute",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-11-07T08:59:01.192Z",
"orgId": "1e47fe04-f25f-42fa-b674-36de2c5e3cfc",
"shortName": "HCL"
},
"references": [
{
"url": "https://support.hcl-software.com/csm?id=kb_article\u0026sysparm_article=KB0117197"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "HCL BigFix Compliance is affected by a missing secure flag on a cookie",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "1e47fe04-f25f-42fa-b674-36de2c5e3cfc",
"assignerShortName": "HCL",
"cveId": "CVE-2024-30142",
"datePublished": "2024-11-07T08:58:42.811Z",
"dateReserved": "2024-03-22T23:57:24.981Z",
"dateUpdated": "2024-11-07T14:28:08.789Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-30141 (GCVE-0-2024-30141)
Vulnerability from nvd – Published: 2024-11-07 08:36 – Updated: 2024-11-07 14:28
VLAI?
Title
HCL BigFix Compliance is vulnerable to the generation of error messages containing sensitive information
Summary
HCL BigFix Compliance is vulnerable to the generation of error messages containing sensitive information. Detailed error messages can provide enticement information or expose information about its environment, users, or associated data.
Severity ?
4.7 (Medium)
CWE
- CWE-209 - Generation of Error Message Containing Sensitive Information
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| HCL Software | BigFix Compliance |
Affected:
2.0.11
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-30141",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-11-07T14:28:21.005823Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-11-07T14:28:28.086Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "BigFix Compliance",
"vendor": "HCL Software",
"versions": [
{
"status": "affected",
"version": "2.0.11"
}
]
}
],
"datePublic": "2024-11-07T07:50:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eHCL BigFix Compliance is vulnerable to the generation of error messages containing sensitive information. Detailed error messages can provide enticement information or expose information about its environment, users, or associated data.\u003c/span\u003e\u003cbr\u003e"
}
],
"value": "HCL BigFix Compliance is vulnerable to the generation of error messages containing sensitive information. Detailed error messages can provide enticement information or expose information about its environment, users, or associated data."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 4.7,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:N/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-209",
"description": "CWE-209 Generation of Error Message Containing Sensitive Information",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-11-07T08:36:13.573Z",
"orgId": "1e47fe04-f25f-42fa-b674-36de2c5e3cfc",
"shortName": "HCL"
},
"references": [
{
"url": "https://support.hcl-software.com/csm?id=kb_article\u0026sysparm_article=KB0117197"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "HCL BigFix Compliance is vulnerable to the generation of error messages containing sensitive information",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "1e47fe04-f25f-42fa-b674-36de2c5e3cfc",
"assignerShortName": "HCL",
"cveId": "CVE-2024-30141",
"datePublished": "2024-11-07T08:36:13.573Z",
"dateReserved": "2024-03-22T23:57:24.981Z",
"dateUpdated": "2024-11-07T14:28:28.086Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-30140 (GCVE-0-2024-30140)
Vulnerability from nvd – Published: 2024-11-07 08:17 – Updated: 2024-11-07 14:28
VLAI?
Title
HCL BigFix Compliance is affected by unvalidated redirects and forwards
Summary
HCL BigFix Compliance is affected by unvalidated redirects and forwards. The HOST header can be manipulated by an attacker and as a result, it can poison the web cache and provide back to users being served the page.
Severity ?
5.4 (Medium)
CWE
- CWE-601 - URL Redirection to Untrusted Site ('Open Redirect')
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| HCL Software | BigFix Compliance |
Affected:
2.0.11
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-30140",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-11-07T14:28:39.480382Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-11-07T14:28:47.434Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "BigFix Compliance",
"vendor": "HCL Software",
"versions": [
{
"status": "affected",
"version": "2.0.11"
}
]
}
],
"datePublic": "2024-11-07T07:50:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eHCL BigFix Compliance is affected by unvalidated redirects and forwards. The HOST header can be manipulated by an attacker and as a result, it can poison the web cache and provide back to users being served the page.\u003c/span\u003e\u003cbr\u003e"
}
],
"value": "HCL BigFix Compliance is affected by unvalidated redirects and forwards. The HOST header can be manipulated by an attacker and as a result, it can poison the web cache and provide back to users being served the page."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:N/I:L/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-601",
"description": "CWE-601 URL Redirection to Untrusted Site (\u0027Open Redirect\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-11-07T08:17:56.737Z",
"orgId": "1e47fe04-f25f-42fa-b674-36de2c5e3cfc",
"shortName": "HCL"
},
"references": [
{
"url": "https://support.hcl-software.com/csm?id=kb_article\u0026sysparm_article=KB0117197"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "HCL BigFix Compliance is affected by unvalidated redirects and forwards",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "1e47fe04-f25f-42fa-b674-36de2c5e3cfc",
"assignerShortName": "HCL",
"cveId": "CVE-2024-30140",
"datePublished": "2024-11-07T08:17:56.737Z",
"dateReserved": "2024-03-22T23:57:24.980Z",
"dateUpdated": "2024-11-07T14:28:47.434Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-30126 (GCVE-0-2024-30126)
Vulnerability from nvd – Published: 2024-07-18 19:17 – Updated: 2024-10-30 16:24
VLAI?
Title
HCL BigFix Compliance is affected by a missing X-Frame-Options Header vulnerability
Summary
HCL BigFix Compliance is affected by a missing X-Frame-Options HTTP header which can allow an attacker to create a malicious website that embeds the target website in a frame or iframe, tricking users into performing actions on the target website without their knowledge.
Severity ?
4.7 (Medium)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| HCL Software | BigFix Compliance |
Affected:
2.0.x
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-30126",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-07-18T20:04:54.543941Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-10-30T16:24:33.273Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T01:25:02.931Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://support.hcltechsw.com/csm?id=kb_article\u0026sysparm_article=KB0113886"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "BigFix Compliance",
"vendor": "HCL Software",
"versions": [
{
"status": "affected",
"version": "2.0.x"
}
]
}
],
"datePublic": "2024-07-18T17:40:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eHCL BigFix Compliance is affected by a missing X-Frame-Options HTTP header which can allow an attacker to create a malicious website that embeds the target website in a frame or iframe, tricking users into performing actions on the target website without their knowledge.\u003c/span\u003e\u003cbr\u003e"
}
],
"value": "HCL BigFix Compliance is affected by a missing X-Frame-Options HTTP header which can allow an attacker to create a malicious website that embeds the target website in a frame or iframe, tricking users into performing actions on the target website without their knowledge."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.7,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-07-18T19:17:01.983Z",
"orgId": "1e47fe04-f25f-42fa-b674-36de2c5e3cfc",
"shortName": "HCL"
},
"references": [
{
"url": "https://support.hcltechsw.com/csm?id=kb_article\u0026sysparm_article=KB0113886"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "HCL BigFix Compliance is affected by a missing X-Frame-Options Header vulnerability",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "1e47fe04-f25f-42fa-b674-36de2c5e3cfc",
"assignerShortName": "HCL",
"cveId": "CVE-2024-30126",
"datePublished": "2024-07-18T19:17:01.983Z",
"dateReserved": "2024-03-22T23:57:23.589Z",
"dateUpdated": "2024-10-30T16:24:33.273Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-30125 (GCVE-0-2024-30125)
Vulnerability from nvd – Published: 2024-07-18 17:59 – Updated: 2024-11-12 20:40
VLAI?
Title
HCL BigFix Compliance is affected by an internal server error
Summary
HCL BigFix Compliance server can respond with an HTTP status of 500, indicating a server-side error that may cause the server process to die.
Severity ?
6.2 (Medium)
CWE
- CWE-918 - Server-Side Request Forgery (SSRF)
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| HCL Software | BigFix Compliance |
Affected:
2.0.x
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-30125",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-07-19T17:22:43.393215Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-918",
"description": "CWE-918 Server-Side Request Forgery (SSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-11-12T20:40:57.871Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T01:25:02.997Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://support.hcltechsw.com/csm?id=kb_article\u0026sysparm_article=KB0113886"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "BigFix Compliance",
"vendor": "HCL Software",
"versions": [
{
"status": "affected",
"version": "2.0.x"
}
]
}
],
"datePublic": "2024-07-18T17:40:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eHCL BigFix Compliance server can respond with an HTTP status of 500, indicating a server-side error that may cause the server process to die.\u003c/span\u003e\u003cbr\u003e"
}
],
"value": "HCL BigFix Compliance server can respond with an HTTP status of 500, indicating a server-side error that may cause the server process to die."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "LOW",
"baseScore": 6.2,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:H/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-07-18T19:21:24.064Z",
"orgId": "1e47fe04-f25f-42fa-b674-36de2c5e3cfc",
"shortName": "HCL"
},
"references": [
{
"url": "https://support.hcltechsw.com/csm?id=kb_article\u0026sysparm_article=KB0113886"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "HCL BigFix Compliance is affected by an internal server error",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "1e47fe04-f25f-42fa-b674-36de2c5e3cfc",
"assignerShortName": "HCL",
"cveId": "CVE-2024-30125",
"datePublished": "2024-07-18T17:59:48.338Z",
"dateReserved": "2024-03-22T23:57:22.507Z",
"dateUpdated": "2024-11-12T20:40:57.871Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-23551 (GCVE-0-2024-23551)
Vulnerability from nvd – Published: 2024-05-07 21:46 – Updated: 2024-08-01 23:06
VLAI?
Title
HCL BigFix Compliance is potentially affected by Oracle database credentials stored at endpoint
Summary
Database scanning using username and password stores the credentials in plaintext or encoded format within files at the endpoint. This has been identified as a significant security risk. This will lead to exposure of sensitive information for unauthorized access, potentially leading to severe consequences such as data breaches, unauthorized data manipulation, and compromised system integrity.
Severity ?
6.5 (Medium)
CWE
- CWE-522 - Insufficiently Protected Credentials
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| HCL Software | BigFix Compliance |
Affected:
v9.x, v10.x, v11.x
|
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:hcltech:bigfix_compliance:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "bigfix_compliance",
"vendor": "hcltech",
"versions": [
{
"lessThanOrEqual": "9.5.25.11",
"status": "affected",
"version": "9.0.835.0",
"versionType": "custom"
},
{
"lessThanOrEqual": "10.0.5.0",
"status": "affected",
"version": "10.0.0.133",
"versionType": "custom"
},
{
"lessThanOrEqual": "11.0.2.125",
"status": "affected",
"version": "11.0.0.175",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-23551",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-07-19T13:14:36.472135Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-07-31T13:52:12.348Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-01T23:06:25.195Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://support.hcltechsw.com/csm?id=kb_article\u0026sysparm_article=KB0112963"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "BigFix Compliance",
"vendor": "HCL Software",
"versions": [
{
"status": "affected",
"version": "v9.x, v10.x, v11.x"
}
]
}
],
"datePublic": "2024-05-07T21:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Database scanning using username and password stores the credentials in\u0026nbsp;plaintext or encoded format within files at the endpoint. This has been identified as a significant\u0026nbsp;security risk. This will lead to exposure of sensitive information for unauthorized access,\u0026nbsp;potentially leading to severe consequences such as data breaches, unauthorized data\u0026nbsp;manipulation, and compromised system integrity."
}
],
"value": "Database scanning using username and password stores the credentials in\u00a0plaintext or encoded format within files at the endpoint. This has been identified as a significant\u00a0security risk. This will lead to exposure of sensitive information for unauthorized access,\u00a0potentially leading to severe consequences such as data breaches, unauthorized data\u00a0manipulation, and compromised system integrity."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-522",
"description": "CWE-522 Insufficiently Protected Credentials",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-05-07T21:46:54.285Z",
"orgId": "1e47fe04-f25f-42fa-b674-36de2c5e3cfc",
"shortName": "HCL"
},
"references": [
{
"url": "https://support.hcltechsw.com/csm?id=kb_article\u0026sysparm_article=KB0112963"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "HCL BigFix Compliance is potentially affected by Oracle database credentials stored at endpoint",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "1e47fe04-f25f-42fa-b674-36de2c5e3cfc",
"assignerShortName": "HCL",
"cveId": "CVE-2024-23551",
"datePublished": "2024-05-07T21:46:54.285Z",
"dateReserved": "2024-01-18T07:29:53.325Z",
"dateUpdated": "2024-08-01T23:06:25.195Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}