CVE-2015-0922

{"cve": {"data_type": "CVE", "references": {"reference_data": [{"url": "http://packetstormsecurity.com/files/129827/McAfee-ePolicy-Orchestrator-Authenticated-XXE-Credential-Exposure.html", "name": "http://packetstormsecurity.com/files/129827/McAfee-ePolicy-Orchestrator-Authenticated-XXE-Credential-Exposure.html", "tags": ["Exploit"], "refsource": "MISC"}, {"url": "https://kc.mcafee.com/corporate/index?page=content&id=SB10095", "name": "https://kc.mcafee.com/corporate/index?page=content&id=SB10095", "tags": ["Patch", "Vendor Advisory"], "refsource": "CONFIRM"}, {"url": "http://seclists.org/fulldisclosure/2015/Jan/8", "name": "20150106 McAfee ePolicy Orchestrator Authenticated XXE and Credential Exposure", "tags": [], "refsource": "FULLDISC"}, {"url": "http://seclists.org/fulldisclosure/2015/Jan/37", "name": "20150112 Re: McAfee ePolicy Orchestrator Authenticated XXE and Credential Exposure", "tags": [], "refsource": "FULLDISC"}, {"url": "http://www.securityfocus.com/bid/72298", "name": "72298", "tags": ["Exploit"], "refsource": "BID"}, {"url": "https://gist.github.com/brandonprry/692e553975bf29aeaf2c", "name": "https://gist.github.com/brandonprry/692e553975bf29aeaf2c", "tags": [], "refsource": "MISC"}, {"url": "http://www.securitytracker.com/id/1031519", "name": "1031519", "tags": [], "refsource": "SECTRACK"}, {"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/99949", "name": "macafee-cve20150922-info-disc(99949)", "tags": [], "refsource": "XF"}]}, "data_format": "MITRE", "description": {"description_data": [{"lang": "en", "value": "McAfee ePolicy Orchestrator (ePO) before 4.6.9 and 5.x before 5.1.2 uses the same secret key across different customers' installations, which allows attackers to obtain the administrator password by leveraging knowledge of the encrypted password."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "en", "value": "CWE-200"}]}]}, "data_version": "4.0", "CVE_data_meta": {"ID": "CVE-2015-0922", "ASSIGNER": "cve@mitre.org"}}, "impact": {"baseMetricV2": {"cvssV2": {"version": "2.0", "baseScore": 5.0, "accessVector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "authentication": "NONE", "integrityImpact": "NONE", "accessComplexity": "LOW", "availabilityImpact": "NONE", "confidentialityImpact": "PARTIAL"}, "severity": "MEDIUM", "impactScore": 2.9, "obtainAllPrivilege": false, "exploitabilityScore": 10.0, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}}, "publishedDate": "2015-01-09T18:59Z", "configurations": {"nodes": [{"children": [], "operator": "OR", "cpe_match": [{"cpe23Uri": "cpe:2.3:a:mcafee:epolicy_orchestrator:5.1.1:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:mcafee:epolicy_orchestrator:*:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true, "versionEndIncluding": "4.6.8"}, {"cpe23Uri": "cpe:2.3:a:mcafee:epolicy_orchestrator:5.0.0:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:mcafee:epolicy_orchestrator:5.0.1:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:mcafee:epolicy_orchestrator:5.1.0:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}]}], "CVE_data_version": "4.0"}, "lastModifiedDate": "2017-09-08T01:29Z"}