Vulnerability-Lookup

CNVD-2020-29622

Vulnerability from cnvd - Published: 2020-05-24

Title

Bond Technology Management JetSelect存在未明漏洞（CNVD-2020-29622）

Description

Bond Technology Management JetSelect是塞浦路斯Bond Technology Management公司的一款用于管理船上IP和网络的应用程序。 Bond Technology Management JetSelect存在未明漏洞。攻击者可利用该漏洞获取JetSelect管理员的密码，从而能够修改和删除容器中的所有网络配置。

Severity

高

Patch Name

Bond Technology Management JetSelect存在未明漏洞（CNVD-2020-29622）的补丁

Patch Description

Formal description

厂商已发布了漏洞修复程序，请及时关注更新： http://www.jetstream.mc/

Reference

https://nvd.nist.gov/vuln/detail/CVE-2019-13022

Impacted products

Name
Bond Technology Management JetSelect

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2019-13022"
    }
  },
  "description": "Bond Technology Management JetSelect\u662f\u585e\u6d66\u8def\u65afBond Technology Management\u516c\u53f8\u7684\u4e00\u6b3e\u7528\u4e8e\u7ba1\u7406\u8239\u4e0aIP\u548c\u7f51\u7edc\u7684\u5e94\u7528\u7a0b\u5e8f\u3002\n\nBond Technology Management JetSelect\u5b58\u5728\u672a\u660e\u6f0f\u6d1e\u3002\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u83b7\u53d6JetSelect\u7ba1\u7406\u5458\u7684\u5bc6\u7801\uff0c\u4ece\u800c\u80fd\u591f\u4fee\u6539\u548c\u5220\u9664\u5bb9\u5668\u4e2d\u7684\u6240\u6709\u7f51\u7edc\u914d\u7f6e\u3002",
  "formalWay": "\u5382\u5546\u5df2\u53d1\u5e03\u4e86\u6f0f\u6d1e\u4fee\u590d\u7a0b\u5e8f\uff0c\u8bf7\u53ca\u65f6\u5173\u6ce8\u66f4\u65b0\uff1a\r\nhttp://www.jetstream.mc/",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2020-29622",
  "openTime": "2020-05-24",
  "patchDescription": "Bond Technology Management JetSelect\u662f\u585e\u6d66\u8def\u65afBond Technology Management\u516c\u53f8\u7684\u4e00\u6b3e\u7528\u4e8e\u7ba1\u7406\u8239\u4e0aIP\u548c\u7f51\u7edc\u7684\u5e94\u7528\u7a0b\u5e8f\u3002\r\n\r\nBond Technology Management JetSelect\u5b58\u5728\u672a\u660e\u6f0f\u6d1e\u3002\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u83b7\u53d6JetSelect\u7ba1\u7406\u5458\u7684\u5bc6\u7801\uff0c\u4ece\u800c\u80fd\u591f\u4fee\u6539\u548c\u5220\u9664\u5bb9\u5668\u4e2d\u7684\u6240\u6709\u7f51\u7edc\u914d\u7f6e\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "Bond Technology Management JetSelect\u5b58\u5728\u672a\u660e\u6f0f\u6d1e\uff08CNVD-2020-29622\uff09\u7684\u8865\u4e01",
  "products": {
    "product": "Bond Technology Management JetSelect"
  },
  "referenceLink": "https://nvd.nist.gov/vuln/detail/CVE-2019-13022",
  "serverity": "\u9ad8",
  "submitTime": "2020-05-15",
  "title": "Bond Technology Management JetSelect\u5b58\u5728\u672a\u660e\u6f0f\u6d1e\uff08CNVD-2020-29622\uff09"
}

CVE-2019-13022 (GCVE-0-2019-13022)

Vulnerability from cvelistv5 – Published: 2020-05-14 16:18 – Updated: 2024-08-04 23:41

Summary

Bond JetSelect (all versions) has an issue in the Java class (ENCtool.jar) and corresponding password generation algorithm (used to set initial passwords upon first installation). It XORs the plaintext into the 'encrypted' password that is then stored within the database. These steps are able to be trivially reversed, allowing for escalation of privilege within the JetSelect application through obtaining the passwords of JetSelect administrators. JetSelect administrators have the ability to modify and delete all networking configuration across a vessel, as well as altering network configuration of all managed network devices (switches, routers).

Severity ?

No CVSS data available.

CWE

Assigner

mitre

References

URL

Tags

https://labs.nettitude.com/blog/cve-2019-13021-22…

x_refsource_MISC

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-04T23:41:10.137Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://labs.nettitude.com/blog/cve-2019-13021-22-23-jetselect-network-segregation-application/"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "n/a",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "n/a"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Bond JetSelect (all versions) has an issue in the Java class (ENCtool.jar) and corresponding password generation algorithm (used to set initial passwords upon first installation). It XORs the plaintext into the \u0027encrypted\u0027 password that is then stored within the database. These steps are able to be trivially reversed, allowing for escalation of privilege within the JetSelect application through obtaining the passwords of JetSelect administrators. JetSelect administrators have the ability to modify and delete all networking configuration across a vessel, as well as altering network configuration of all managed network devices (switches, routers)."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "n/a",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2020-05-14T16:18:16.000Z",
        "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "shortName": "mitre"
      },
      "references": [
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://labs.nettitude.com/blog/cve-2019-13021-22-23-jetselect-network-segregation-application/"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "cve@mitre.org",
          "ID": "CVE-2019-13022",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "n/a",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "n/a"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "n/a"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "Bond JetSelect (all versions) has an issue in the Java class (ENCtool.jar) and corresponding password generation algorithm (used to set initial passwords upon first installation). It XORs the plaintext into the \u0027encrypted\u0027 password that is then stored within the database. These steps are able to be trivially reversed, allowing for escalation of privilege within the JetSelect application through obtaining the passwords of JetSelect administrators. JetSelect administrators have the ability to modify and delete all networking configuration across a vessel, as well as altering network configuration of all managed network devices (switches, routers)."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "n/a"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://labs.nettitude.com/blog/cve-2019-13021-22-23-jetselect-network-segregation-application/",
              "refsource": "MISC",
              "url": "https://labs.nettitude.com/blog/cve-2019-13021-22-23-jetselect-network-segregation-application/"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
    "assignerShortName": "mitre",
    "cveId": "CVE-2019-13022",
    "datePublished": "2020-05-14T16:18:16.000Z",
    "dateReserved": "2019-06-28T00:00:00.000Z",
    "dateUpdated": "2024-08-04T23:41:10.137Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Sightings

Author	Source	Type	Date	Other

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CNVD-2020-29622

CVE-2019-13022 (GCVE-0-2019-13022)

Tags

Sightings

Nomenclature