VAR-201506-0054
Vulnerability from variot - Updated: 2023-12-18 12:45CreateBossCredentials.jar in Toshiba CHEC before 6.6 build 4014 and 6.7 before build 4329 contains a hardcoded AES key, which allows attackers to discover Back Office System Server (BOSS) DB2 database credentials by leveraging knowledge of this key in conjunction with bossinfo.pro read access. Toshiba CHEC Is AES There is a problem where the common key is hard-coded. The encryption key is hard-coded (CWE-321) - CVE-2014-4875 Toshiba CHEC of CreateBossCredentials.jar Used for encryption AES There is a problem where the common key is hard-coded. bossinfo.pro An attacker with access to the file was hard-coded AES Using a common key, BOSS It is possible to decrypt encrypted information such as database authentication information. CWE-321: Use of Hard-coded Cryptographic Key http://cwe.mitre.org/data/definitions/321.htmlBy an attacker with access to the product, BOSS The authentication information of the database may be obtained. Toshiba CHEC is a product of Toshiba Corporation. Successful exploits will allow attackers to obtain sensitive information that may aid in further attacks
Show details on source website{
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
"affected_products": {
"@id": "https://www.variotdbs.pl/ref/affected_products"
},
"configurations": {
"@id": "https://www.variotdbs.pl/ref/configurations"
},
"credits": {
"@id": "https://www.variotdbs.pl/ref/credits"
},
"cvss": {
"@id": "https://www.variotdbs.pl/ref/cvss/"
},
"description": {
"@id": "https://www.variotdbs.pl/ref/description/"
},
"exploit_availability": {
"@id": "https://www.variotdbs.pl/ref/exploit_availability/"
},
"external_ids": {
"@id": "https://www.variotdbs.pl/ref/external_ids/"
},
"iot": {
"@id": "https://www.variotdbs.pl/ref/iot/"
},
"iot_taxonomy": {
"@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
},
"patch": {
"@id": "https://www.variotdbs.pl/ref/patch/"
},
"problemtype_data": {
"@id": "https://www.variotdbs.pl/ref/problemtype_data/"
},
"references": {
"@id": "https://www.variotdbs.pl/ref/references/"
},
"sources": {
"@id": "https://www.variotdbs.pl/ref/sources/"
},
"sources_release_date": {
"@id": "https://www.variotdbs.pl/ref/sources_release_date/"
},
"sources_update_date": {
"@id": "https://www.variotdbs.pl/ref/sources_update_date/"
},
"threat_type": {
"@id": "https://www.variotdbs.pl/ref/threat_type/"
},
"title": {
"@id": "https://www.variotdbs.pl/ref/title/"
},
"type": {
"@id": "https://www.variotdbs.pl/ref/type/"
}
},
"@id": "https://www.variotdbs.pl/vuln/VAR-201506-0054",
"affected_products": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/affected_products#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"model": "chec",
"scope": "eq",
"trust": 1.9,
"vendor": "toshiba",
"version": "6.7"
},
{
"model": "chec",
"scope": "lte",
"trust": 1.0,
"vendor": "toshiba",
"version": "6.6"
},
{
"model": "chec",
"scope": "eq",
"trust": 0.9,
"vendor": "toshiba",
"version": "6.6"
},
{
"model": null,
"scope": null,
"trust": 0.8,
"vendor": "toshiba commerce",
"version": null
},
{
"model": "chec",
"scope": "eq",
"trust": 0.8,
"vendor": "toshiba global commerce",
"version": "version 6.6"
},
{
"model": "chec",
"scope": "eq",
"trust": 0.8,
"vendor": "toshiba global commerce",
"version": "6.7"
},
{
"model": "chec",
"scope": null,
"trust": 0.6,
"vendor": "toshiba",
"version": null
},
{
"model": "chec build level",
"scope": "ne",
"trust": 0.3,
"vendor": "toshiba",
"version": "6.74329"
},
{
"model": "chec build level",
"scope": "ne",
"trust": 0.3,
"vendor": "toshiba",
"version": "6.64014"
}
],
"sources": [
{
"db": "CERT/CC",
"id": "VU#301788"
},
{
"db": "CNVD",
"id": "CNVD-2015-03887"
},
{
"db": "BID",
"id": "75055"
},
{
"db": "JVNDB",
"id": "JVNDB-2015-002960"
},
{
"db": "NVD",
"id": "CVE-2014-4875"
},
{
"db": "CNNVD",
"id": "CNNVD-201506-217"
}
]
},
"configurations": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/configurations#",
"children": {
"@container": "@list"
},
"cpe_match": {
"@container": "@list"
},
"data": {
"@container": "@list"
},
"nodes": {
"@container": "@list"
}
},
"data": [
{
"CVE_data_version": "4.0",
"nodes": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:a:toshiba:chec:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndIncluding": "6.6",
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:toshiba:chec:6.7:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
}
],
"operator": "OR"
}
]
}
],
"sources": [
{
"db": "NVD",
"id": "CVE-2014-4875"
}
]
},
"credits": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/credits#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "David Odell",
"sources": [
{
"db": "BID",
"id": "75055"
},
{
"db": "CNNVD",
"id": "CNNVD-201506-217"
}
],
"trust": 0.9
},
"cve": "CVE-2014-4875",
"cvss": {
"@context": {
"cvssV2": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
},
"cvssV3": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
},
"severity": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/cvss/severity#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/severity"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"cvssV2": [
{
"acInsufInfo": false,
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "NVD",
"availabilityImpact": "NONE",
"baseScore": 5.0,
"confidentialityImpact": "PARTIAL",
"exploitabilityScore": 10.0,
"impactScore": 2.9,
"integrityImpact": "NONE",
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"severity": "MEDIUM",
"trust": 1.0,
"userInteractionRequired": false,
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"version": "2.0"
},
{
"acInsufInfo": null,
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "NVD",
"availabilityImpact": "NONE",
"availabilityRequirement": "NOT DEFINED",
"baseScore": 5.0,
"collateralDamagePotential": "LOW-MEDIUM",
"confidentialityImpact": "PARTIAL",
"confidentialityRequirement": "MEDIUM",
"enviromentalScore": 4.5,
"exploitability": "PROOF-OF-CONCEPT",
"exploitabilityScore": 10.0,
"id": "CVE-2014-4875",
"impactScore": 2.9,
"integrityImpact": "NONE",
"integrityRequirement": "NOT DEFINED",
"obtainAllPrivilege": null,
"obtainOtherPrivilege": null,
"obtainUserPrivilege": null,
"remediationLevel": "UNAVAILABLE",
"reportConfidence": "UNCORROBORATED",
"severity": "MEDIUM",
"targetDistribution": "MEDIUM",
"trust": 0.8,
"userInterationRequired": null,
"vector_string": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"version": "2.0"
},
{
"acInsufInfo": null,
"accessComplexity": "Low",
"accessVector": "Network",
"authentication": "None",
"author": "NVD",
"availabilityImpact": "None",
"baseScore": 5.0,
"confidentialityImpact": "Partial",
"exploitabilityScore": null,
"id": "CVE-2014-4875",
"impactScore": null,
"integrityImpact": "None",
"obtainAllPrivilege": null,
"obtainOtherPrivilege": null,
"obtainUserPrivilege": null,
"severity": "Medium",
"trust": 0.8,
"userInteractionRequired": null,
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"version": "2.0"
},
{
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "CNVD",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "PARTIAL",
"exploitabilityScore": 8.6,
"id": "CNVD-2015-03887",
"impactScore": 2.9,
"integrityImpact": "NONE",
"severity": "MEDIUM",
"trust": 0.6,
"vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
"version": "2.0"
}
],
"cvssV3": [],
"severity": [
{
"author": "NVD",
"id": "CVE-2014-4875",
"trust": 2.6,
"value": "MEDIUM"
},
{
"author": "CNVD",
"id": "CNVD-2015-03887",
"trust": 0.6,
"value": "MEDIUM"
},
{
"author": "CNNVD",
"id": "CNNVD-201506-217",
"trust": 0.6,
"value": "MEDIUM"
}
]
}
],
"sources": [
{
"db": "CERT/CC",
"id": "VU#301788"
},
{
"db": "CNVD",
"id": "CNVD-2015-03887"
},
{
"db": "JVNDB",
"id": "JVNDB-2015-002960"
},
{
"db": "NVD",
"id": "CVE-2014-4875"
},
{
"db": "CNNVD",
"id": "CNNVD-201506-217"
}
]
},
"description": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/description#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "CreateBossCredentials.jar in Toshiba CHEC before 6.6 build 4014 and 6.7 before build 4329 contains a hardcoded AES key, which allows attackers to discover Back Office System Server (BOSS) DB2 database credentials by leveraging knowledge of this key in conjunction with bossinfo.pro read access. Toshiba CHEC Is AES There is a problem where the common key is hard-coded. The encryption key is hard-coded (CWE-321) - CVE-2014-4875 Toshiba CHEC of CreateBossCredentials.jar Used for encryption AES There is a problem where the common key is hard-coded. bossinfo.pro An attacker with access to the file was hard-coded AES Using a common key, BOSS It is possible to decrypt encrypted information such as database authentication information. CWE-321: Use of Hard-coded Cryptographic Key http://cwe.mitre.org/data/definitions/321.htmlBy an attacker with access to the product, BOSS The authentication information of the database may be obtained. Toshiba CHEC is a product of Toshiba Corporation. \nSuccessful exploits will allow attackers to obtain sensitive information that may aid in further attacks",
"sources": [
{
"db": "NVD",
"id": "CVE-2014-4875"
},
{
"db": "CERT/CC",
"id": "VU#301788"
},
{
"db": "JVNDB",
"id": "JVNDB-2015-002960"
},
{
"db": "CNVD",
"id": "CNVD-2015-03887"
},
{
"db": "BID",
"id": "75055"
}
],
"trust": 3.15
},
"external_ids": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/external_ids#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"db": "NVD",
"id": "CVE-2014-4875",
"trust": 4.1
},
{
"db": "CERT/CC",
"id": "VU#301788",
"trust": 4.1
},
{
"db": "BID",
"id": "75055",
"trust": 1.5
},
{
"db": "JVN",
"id": "JVNVU91309683",
"trust": 0.8
},
{
"db": "JVNDB",
"id": "JVNDB-2015-002960",
"trust": 0.8
},
{
"db": "CNVD",
"id": "CNVD-2015-03887",
"trust": 0.6
},
{
"db": "CNNVD",
"id": "CNNVD-201506-217",
"trust": 0.6
}
],
"sources": [
{
"db": "CERT/CC",
"id": "VU#301788"
},
{
"db": "CNVD",
"id": "CNVD-2015-03887"
},
{
"db": "BID",
"id": "75055"
},
{
"db": "JVNDB",
"id": "JVNDB-2015-002960"
},
{
"db": "NVD",
"id": "CVE-2014-4875"
},
{
"db": "CNNVD",
"id": "CNNVD-201506-217"
}
]
},
"id": "VAR-201506-0054",
"iot": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": true,
"sources": [
{
"db": "CNVD",
"id": "CNVD-2015-03887"
}
],
"trust": 1.2
},
"iot_taxonomy": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot_taxonomy#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"category": [
"Network device"
],
"sub_category": null,
"trust": 0.6
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2015-03887"
}
]
},
"last_update_date": "2023-12-18T12:45:05.129000Z",
"patch": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/patch#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"title": "Toshiba Global Commerce Solutions Self Checkout System 6",
"trust": 0.8,
"url": "http://www-03.ibm.com/products/retail/products/self/sco6/specs.html"
},
{
"title": "Top Page",
"trust": 0.8,
"url": "https://www.toshibacommerce.com"
},
{
"title": "Toshiba CHEC built-in patch for encryption key information disclosure vulnerability",
"trust": 0.6,
"url": "https://www.cnvd.org.cn/patchinfo/show/59823"
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2015-03887"
},
{
"db": "JVNDB",
"id": "JVNDB-2015-002960"
}
]
},
"problemtype_data": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"problemtype": "CWE-255",
"trust": 1.8
},
{
"problemtype": "CWE-200",
"trust": 1.8
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2015-002960"
},
{
"db": "NVD",
"id": "CVE-2014-4875"
}
]
},
"references": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/references#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"trust": 3.3,
"url": "http://www.kb.cert.org/vuls/id/301788"
},
{
"trust": 2.4,
"url": "http://www.kb.cert.org/vuls/id/jlad-9x4spn"
},
{
"trust": 1.2,
"url": "http://www.securityfocus.com/bid/75055"
},
{
"trust": 0.8,
"url": "about vulnerability notes"
},
{
"trust": 0.8,
"url": "contact us about this vulnerability"
},
{
"trust": 0.8,
"url": "provide a vendor statement"
},
{
"trust": 0.8,
"url": "http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2014-4875"
},
{
"trust": 0.8,
"url": "http://jvn.jp/vu/jvnvu91309683/index.html"
},
{
"trust": 0.8,
"url": "https://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2014-4875"
},
{
"trust": 0.3,
"url": "http://www.toshiba.com/"
}
],
"sources": [
{
"db": "CERT/CC",
"id": "VU#301788"
},
{
"db": "CNVD",
"id": "CNVD-2015-03887"
},
{
"db": "BID",
"id": "75055"
},
{
"db": "JVNDB",
"id": "JVNDB-2015-002960"
},
{
"db": "NVD",
"id": "CVE-2014-4875"
},
{
"db": "CNNVD",
"id": "CNNVD-201506-217"
}
]
},
"sources": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#",
"data": {
"@container": "@list"
}
},
"data": [
{
"db": "CERT/CC",
"id": "VU#301788"
},
{
"db": "CNVD",
"id": "CNVD-2015-03887"
},
{
"db": "BID",
"id": "75055"
},
{
"db": "JVNDB",
"id": "JVNDB-2015-002960"
},
{
"db": "NVD",
"id": "CVE-2014-4875"
},
{
"db": "CNNVD",
"id": "CNNVD-201506-217"
}
]
},
"sources_release_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2015-06-08T00:00:00",
"db": "CERT/CC",
"id": "VU#301788"
},
{
"date": "2015-06-19T00:00:00",
"db": "CNVD",
"id": "CNVD-2015-03887"
},
{
"date": "2015-06-08T00:00:00",
"db": "BID",
"id": "75055"
},
{
"date": "2015-06-10T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2015-002960"
},
{
"date": "2015-06-24T10:59:00.120000",
"db": "NVD",
"id": "CVE-2014-4875"
},
{
"date": "2015-06-11T00:00:00",
"db": "CNNVD",
"id": "CNNVD-201506-217"
}
]
},
"sources_update_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2015-06-08T00:00:00",
"db": "CERT/CC",
"id": "VU#301788"
},
{
"date": "2015-06-19T00:00:00",
"db": "CNVD",
"id": "CNVD-2015-03887"
},
{
"date": "2015-06-08T00:00:00",
"db": "BID",
"id": "75055"
},
{
"date": "2015-06-25T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2015-002960"
},
{
"date": "2015-06-24T18:52:44.123000",
"db": "NVD",
"id": "CVE-2014-4875"
},
{
"date": "2015-06-25T00:00:00",
"db": "CNNVD",
"id": "CNNVD-201506-217"
}
]
},
"threat_type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/threat_type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "remote",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-201506-217"
}
],
"trust": 0.6
},
"title": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/title#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Toshiba CHEC Hardcoded Cryptographic Key Information Disclosure Vulnerability",
"sources": [
{
"db": "BID",
"id": "75055"
},
{
"db": "CNNVD",
"id": "CNNVD-201506-217"
}
],
"trust": 0.9
},
"type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "information disclosure",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-201506-217"
}
],
"trust": 0.6
}
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…