{"id": "CVE-2019-15023", "bulletinFamily": "NVD", "title": "CVE-2019-15023", "description": "A security vulnerability exists in Zingbox Inspector versions 1.294 and earlier, that results in passwords for 3rd party integrations being stored in cleartext in device configuration.", "published": "2019-10-09T21:15:00", "modified": "2020-02-17T16:15:00", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}, "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-15023", "reporter": "cve@mitre.org", "references": ["https://security.paloaltonetworks.com/CVE-2019-15023"], "cvelist": ["CVE-2019-15023"], "type": "cve", "lastseen": "2020-12-09T21:41:44", "edition": 7, "viewCount": 38, "enchantments": {"dependencies": {"references": [{"type": "symantec", "idList": ["SMNTC-110292"]}, {"type": "paloalto", "idList": ["PAN-SA-2019-0035"]}], "modified": "2020-12-09T21:41:44", "rev": 2}, "score": {"value": 3.9, "vector": "NONE", "modified": "2020-12-09T21:41:44", "rev": 2}, "vulnersScore": 3.9}, "cpe": ["cpe:/a:zingbox:inspector:1.294"], "affectedSoftware": [{"cpeName": "zingbox:inspector", "name": "zingbox inspector", "operator": "le", "version": "1.294"}], "cvss2": {"acInsufInfo": false, "cvssV2": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 5.0, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "MEDIUM", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6}, "cpe23": ["cpe:2.3:a:zingbox:inspector:1.294:*:*:*:*:*:*:*"], "cwe": ["CWE-312"], "scheme": null, "cpeConfiguration": {"CVE_data_version": "4.0", "nodes": [{"cpe_match": [{"cpe23Uri": "cpe:2.3:a:zingbox:inspector:1.294:*:*:*:*:*:*:*", "versionEndIncluding": "1.294", "vulnerable": true}], "operator": "OR"}]}}

{"symantec": [{"lastseen": "2019-10-03T16:28:17", "bulletinFamily": "software", "cvelist": ["CVE-2019-15023"], "description": "### Description\n\nPalo Alto Networks Zingbox Inspector is prone to an information-disclosure vulnerability. Attackers can exploit this issue to obtain sensitive information that may aid in further attacks. Versions prior to Zingbox Inspector 1.295 are vulnerable.\n\n### Technologies Affected\n\n * Paloaltonetworks Zingbox Inspector 1.294 \n\n### Recommendations\n\n**Block external access at the network boundary, unless external parties require service.** \nFilter access to the affected computer at the network boundary if global access isn't needed. Restricting access to only trusted computers and networks might greatly reduce the likelihood of a successful exploit. \n\n**Run all software as a nonprivileged user with minimal access rights.** \nTo reduce the impact of latent vulnerabilities, always run nonadministrative software as an unprivileged user with minimal access rights. \n\n**Deploy network intrusion detection systems to monitor network traffic for malicious activity.** \nNIDS may identify and block generic attacks against web applications. Detecting and suspicious HTTP requests may reduce the likelihood of successful exploits. \n\nUpdates are available. Please see the references or vendor advisory for more information.\n", "modified": "2019-10-01T00:00:00", "published": "2019-10-01T00:00:00", "id": "SMNTC-110292", "href": "https://www.symantec.com/content/symantec/english/en/security-center/vulnerabilities/writeup.html/110292", "type": "symantec", "title": "Palo Alto Networks Zingbox Inspector CVE-2019-15023 Information Disclosure Vulnerability", "cvss": {"score": 0.0, "vector": "NONE"}}], "paloalto": [{"lastseen": "2020-12-24T13:20:54", "bulletinFamily": "software", "cvelist": ["CVE-2019-15023"], "description": "A security vulnerability exists in Zingbox Inspector that results in passwords for 3rd party integrations being stored in cleartext in device configuration. (Ref: CVE-2019-15023)\nThe vulnerability allows for the viewing of plaintext credentials stored within the Zingbox Inspector software and stored configuration files.\nThis issue affects Zingbox Inspector, versions 1.294 and earlier.\n\n**Work around:**\nIn the normal course of operation, Zingbox Inspector automatically updates its own software, and a fixed version of software has already been made available. No user action is required unless the software is unable to update itself. Customers still running affected versions of Zingbox Inspector software can mitigation this issue by updating to a patched version, or by disabling any 3rd party integrations configured within Zingbox Inspector where 3rd party credentials are required and stored within the Zingbox Inspector software. See product documentation for more information on how to disable 3rd party integrations.", "edition": 4, "modified": "2019-10-01T07:00:00", "published": "2019-10-01T07:00:00", "id": "PAN-SA-2019-0035", "href": "https://securityadvisories.paloaltonetworks.com/CVE-2019-15023", "title": "Insecure Password Storage in Zingbox Inspector", "type": "paloalto", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}]}