CVE-2023-37495 (GCVE-0-2023-37495)

Vulnerability from cvelistv5 – Published: 2024-02-20 18:22 – Updated: 2024-11-05 17:56
VLAI?
Summary
Internet passwords stored in Person documents in the Domino® Directory created using the "Add Person" action on the People & Groups tab in the Domino® Administrator are secured using a cryptographically weak hash algorithm. This could enable attackers with access to the hashed value to determine a user's password, e.g. using a brute force attack. This issue does not impact Person documents created through user registration https://help.hcltechsw.com/domino/10.0.1/admin/conf_userregistration_c.html .
Severity ?
5.9 (Medium)
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
CWE
  • CWE-306 - Missing Authentication for Critical Function
Assigner
HCL
References
Impacted products
Vendor Product Version
HCL Software HCL Domino Server Affected: 9, 10, 11, 12
Create a notification for this product.
Show details on NVD website
To clipboard 

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "HIGH",
              "attackVector": "NETWORK",
              "availabilityImpact": "NONE",
              "baseScore": 5.9,
              "baseSeverity": "MEDIUM",
              "confidentialityImpact": "HIGH",
              "integrityImpact": "NONE",
              "privilegesRequired": "NONE",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2023-37495",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-03-05T20:42:46.736480Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-306",
                "description": "CWE-306 Missing Authentication for Critical Function",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-11-05T17:56:44.670Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-02T17:16:30.243Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://support.hcltechsw.com/csm?id=kb_article\u0026sysparm_article=KB0107585"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "HCL Domino Server",
          "vendor": "HCL Software",
          "versions": [
            {
              "status": "affected",
              "version": "9, 10, 11, 12"
            }
          ]
        }
      ],
      "datePublic": "2024-02-20T16:35:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eInternet passwords stored in Person documents in the Domino\u00ae Directory created using the \"Add Person\" action on the People \u0026amp; Groups tab in the Domino\u00ae Administrator are secured using a cryptographically weak hash algorithm.  This could enable attackers with access to the hashed value to determine a user\u0027s password, e.g. using a brute force attack.  This issue does not impact Person documents created through \u003c/span\u003e\u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://help.hcltechsw.com/domino/10.0.1/admin/conf_userregistration_c.html\"\u003euser registration\u003c/a\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e. \u003c/span\u003e\u003cbr\u003e"
            }
          ],
          "value": "Internet passwords stored in Person documents in the Domino\u00ae Directory created using the \"Add Person\" action on the People \u0026 Groups tab in the Domino\u00ae Administrator are secured using a cryptographically weak hash algorithm.  This could enable attackers with access to the hashed value to determine a user\u0027s password, e.g. using a brute force attack.  This issue does not impact Person documents created through  user registration https://help.hcltechsw.com/domino/10.0.1/admin/conf_userregistration_c.html . \n"
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 5.9,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL "
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-02-20T18:22:21.038Z",
        "orgId": "1e47fe04-f25f-42fa-b674-36de2c5e3cfc",
        "shortName": "HCL"
      },
      "references": [
        {
          "url": "https://support.hcltechsw.com/csm?id=kb_article\u0026sysparm_article=KB0107585"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "title": "HCL Domino is susceptible to a weak cryptography vulnerability",
      "x_generator": {
        "engine": "Vulnogram 0.1.0-dev"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "1e47fe04-f25f-42fa-b674-36de2c5e3cfc",
    "assignerShortName": "HCL",
    "cveId": "CVE-2023-37495",
    "datePublished": "2024-02-20T18:22:21.038Z",
    "dateReserved": "2023-07-06T16:11:32.537Z",
    "dateUpdated": "2024-11-05T17:56:44.670Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "fkie_nvd": {
      "descriptions": "[{\"lang\": \"en\", \"value\": \"Internet passwords stored in Person documents in the Domino\\u00ae Directory created using the \\\"Add Person\\\" action on the People \u0026 Groups tab in the Domino\\u00ae Administrator are secured using a cryptographically weak hash algorithm.  This could enable attackers with access to the hashed value to determine a user\u0027s password, e.g. using a brute force attack.  This issue does not impact Person documents created through  user registration https://help.hcltechsw.com/domino/10.0.1/admin/conf_userregistration_c.html . \\n\"}, {\"lang\": \"es\", \"value\": \"Las contrase\\u00f1as de Internet almacenadas en documentos personales en el directorio de Domino\\u00ae creado mediante la acci\\u00f3n \\\"Agregar persona\\\" en la pesta\\u00f1a Personas y grupos del Administrador de Domino\\u00ae est\\u00e1n protegidas mediante un algoritmo hash criptogr\\u00e1ficamente d\\u00e9bil. Esto podr\\u00eda permitir a los atacantes con acceso al valor hash determinar la contrase\\u00f1a de un usuario, por ejemplo, mediante un ataque de fuerza bruta. Este problema no afecta los documentos personales creados mediante el registro de usuario https://help.hcltechsw.com/domino/10.0.1/admin/conf_userregistration_c.html.\"}]",
      "id": "CVE-2023-37495",
      "lastModified": "2024-11-21T08:11:49.717",
      "metrics": "{\"cvssMetricV31\": [{\"source\": \"psirt@hcl.com\", \"type\": \"Secondary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N\", \"baseScore\": 5.9, \"baseSeverity\": \"MEDIUM\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"HIGH\", \"privilegesRequired\": \"NONE\", \"userInteraction\": \"NONE\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"HIGH\", \"integrityImpact\": \"NONE\", \"availabilityImpact\": \"NONE\"}, \"exploitabilityScore\": 2.2, \"impactScore\": 3.6}, {\"source\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"type\": \"Secondary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N\", \"baseScore\": 5.9, \"baseSeverity\": \"MEDIUM\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"HIGH\", \"privilegesRequired\": \"NONE\", \"userInteraction\": \"NONE\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"HIGH\", \"integrityImpact\": \"NONE\", \"availabilityImpact\": \"NONE\"}, \"exploitabilityScore\": 2.2, \"impactScore\": 3.6}]}",
      "published": "2024-02-29T01:40:04.220",
      "references": "[{\"url\": \"https://support.hcltechsw.com/csm?id=kb_article\u0026sysparm_article=KB0107585\", \"source\": \"psirt@hcl.com\"}, {\"url\": \"https://support.hcltechsw.com/csm?id=kb_article\u0026sysparm_article=KB0107585\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}]",
      "sourceIdentifier": "psirt@hcl.com",
      "vulnStatus": "Awaiting Analysis",
      "weaknesses": "[{\"source\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"type\": \"Secondary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-306\"}]}]"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2023-37495\",\"sourceIdentifier\":\"psirt@hcl.com\",\"published\":\"2024-02-29T01:40:04.220\",\"lastModified\":\"2025-05-08T16:56:18.013\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Internet passwords stored in Person documents in the Domino\u00ae Directory created using the \\\"Add Person\\\" action on the People \u0026 Groups tab in the Domino\u00ae Administrator are secured using a cryptographically weak hash algorithm.  This could enable attackers with access to the hashed value to determine a user\u0027s password, e.g. using a brute force attack.  This issue does not impact Person documents created through  user registration https://help.hcltechsw.com/domino/10.0.1/admin/conf_userregistration_c.html . \\n\"},{\"lang\":\"es\",\"value\":\"Las contrase\u00f1as de Internet almacenadas en documentos personales en el directorio de Domino\u00ae creado mediante la acci\u00f3n \\\"Agregar persona\\\" en la pesta\u00f1a Personas y grupos del Administrador de Domino\u00ae est\u00e1n protegidas mediante un algoritmo hash criptogr\u00e1ficamente d\u00e9bil. Esto podr\u00eda permitir a los atacantes con acceso al valor hash determinar la contrase\u00f1a de un usuario, por ejemplo, mediante un ataque de fuerza bruta. Este problema no afecta los documentos personales creados mediante el registro de usuario https://help.hcltechsw.com/domino/10.0.1/admin/conf_userregistration_c.html.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"psirt@hcl.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N\",\"baseScore\":5.9,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"HIGH\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":2.2,\"impactScore\":3.6},{\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N\",\"baseScore\":5.9,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"HIGH\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":2.2,\"impactScore\":3.6}]},\"weaknesses\":[{\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-306\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:hcltech:domino:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"9.0\",\"versionEndExcluding\":\"14.0\",\"matchCriteriaId\":\"A56E68A6-976F-412D-AA65-7940FB574149\"}]}]}],\"references\":[{\"url\":\"https://support.hcltechsw.com/csm?id=kb_article\u0026sysparm_article=KB0107585\",\"source\":\"psirt@hcl.com\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"https://support.hcltechsw.com/csm?id=kb_article\u0026sysparm_article=KB0107585\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Vendor Advisory\"]}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CVE Program Container\", \"references\": [{\"url\": \"https://support.hcltechsw.com/csm?id=kb_article\u0026sysparm_article=KB0107585\", \"tags\": [\"x_transferred\"]}], \"providerMetadata\": {\"orgId\": \"af854a3a-2127-422b-91ae-364da2661108\", \"shortName\": \"CVE\", \"dateUpdated\": \"2024-08-02T17:16:30.243Z\"}}, {\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 5.9, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N\", \"integrityImpact\": \"NONE\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"HIGH\", \"availabilityImpact\": \"NONE\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"HIGH\"}}, {\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2023-37495\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2024-03-05T20:42:46.736480Z\"}}}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-306\", \"description\": \"CWE-306 Missing Authentication for Critical Function\"}]}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2024-05-23T19:01:15.926Z\"}}], \"cna\": {\"title\": \"HCL Domino is susceptible to a weak cryptography vulnerability\", \"source\": {\"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"format\": \"CVSS\", \"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 5.9, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N\", \"integrityImpact\": \"NONE\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"HIGH\", \"availabilityImpact\": \"NONE\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"HIGH\"}, \"scenarios\": [{\"lang\": \"en\", \"value\": \"GENERAL \"}]}], \"affected\": [{\"vendor\": \"HCL Software\", \"product\": \"HCL Domino Server\", \"versions\": [{\"status\": \"affected\", \"version\": \"9, 10, 11, 12\"}], \"defaultStatus\": \"unaffected\"}], \"datePublic\": \"2024-02-20T16:35:00.000Z\", \"references\": [{\"url\": \"https://support.hcltechsw.com/csm?id=kb_article\u0026sysparm_article=KB0107585\"}], \"x_generator\": {\"engine\": \"Vulnogram 0.1.0-dev\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"Internet passwords stored in Person documents in the Domino\\u00ae Directory created using the \\\"Add Person\\\" action on the People \u0026 Groups tab in the Domino\\u00ae Administrator are secured using a cryptographically weak hash algorithm.  This could enable attackers with access to the hashed value to determine a user\u0027s password, e.g. using a brute force attack.  This issue does not impact Person documents created through  user registration https://help.hcltechsw.com/domino/10.0.1/admin/conf_userregistration_c.html . \\n\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"\u003cspan style=\\\"background-color: rgb(255, 255, 255);\\\"\u003eInternet passwords stored in Person documents in the Domino\\u00ae Directory created using the \\\"Add Person\\\" action on the People \u0026amp; Groups tab in the Domino\\u00ae Administrator are secured using a cryptographically weak hash algorithm.  This could enable attackers with access to the hashed value to determine a user\u0027s password, e.g. using a brute force attack.  This issue does not impact Person documents created through \u003c/span\u003e\u003ca target=\\\"_blank\\\" rel=\\\"nofollow\\\" href=\\\"https://help.hcltechsw.com/domino/10.0.1/admin/conf_userregistration_c.html\\\"\u003euser registration\u003c/a\u003e\u003cspan style=\\\"background-color: rgb(255, 255, 255);\\\"\u003e. \u003c/span\u003e\u003cbr\u003e\", \"base64\": false}]}], \"providerMetadata\": {\"orgId\": \"1e47fe04-f25f-42fa-b674-36de2c5e3cfc\", \"shortName\": \"HCL\", \"dateUpdated\": \"2024-02-20T18:22:21.038Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2023-37495\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2024-11-05T17:56:44.670Z\", \"dateReserved\": \"2023-07-06T16:11:32.537Z\", \"assignerOrgId\": \"1e47fe04-f25f-42fa-b674-36de2c5e3cfc\", \"datePublished\": \"2024-02-20T18:22:21.038Z\", \"assignerShortName\": \"HCL\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.