Design/Logic Flaw

2023-12-1320:15:00

PRIOn knowledge base

www.prio-n.com

default containers

primx zed!

zonecentral

windows

anssi qualification submission

encrypted

sensitive user information

unauthenticated attacker

brute force

7.1 High

AI Score

Confidence

Low

0.001 Low

EPSS

Percentile

39.9%

JSON

By default, .ZED containers produced by PRIMX ZED! for Windows before Q.2020.3 (ANSSI qualification submission); ZED! for Windows before Q.2021.2 (ANSSI qualification submission); ZONECENTRAL for Windows before Q.2021.2 (ANSSI qualification submission); ZONECENTRAL for Windows before 2023.5; ZEDMAIL for Windows before 2023.5; and ZED! for Windows, Mac, Linux before 2023.5 include an encrypted version of sensitive user information, which could allow an unauthenticated attacker to obtain it via brute force.

CPENameOperatorVersion
zed\\!eq< q.2020.3
zed\\!ge2023.0
zed\\!lt2023.5
zed\\!eq>= q.2021.0 AND < q.2021.2
zedmaillt2023.5
zonecentralge2023.0
zonecentrallt2023.5
zonecentraleq< q.2021.2

Name	Operator	Version
zed\\!	eq	< q.2020.3
zed\\!	ge	2023.0
zed\\!	lt	2023.5
zed\\!	eq	>= q.2021.0 AND < q.2021.2
zedmail	lt	2023.5
zonecentral	ge	2023.0
zonecentral	lt	2023.5
zonecentral	eq	< q.2021.2

References

www.primx.eu/en/bulletins/security-bulletin-23B30874/

www.primx.eu/fr/blog/