CVE-2012-6452 Axway Secure Messenger Username Disclosure

2013-01-21T00:00:00

Description

Product: Axway Email Firewall Component: Secure Messenger Vendor: Axway Vulnerable Version(s): 6.5 and earlier on the Email Firewall (EMF) platform only Tested Version: 6.3.2 (Build 4230) Vendor Notification: December 8, 2012 Vendor Patch: Secure Messenger version 6.5.0 Updated Release 7 Public Disclosure: January 17, 2013 Vulnerability Type: Username Disclosure CVE Reference: CVE-2012-6452 Solution Status: Fixed by Vendor Credit: Jason Doyle / FishNet Security Advisory Details: When authenticating to Secure Messenger on Axway's Email Firewall, vulnerable versions return different HTTP header responses for users that exist and users that do not exist when an incorrect password is supplied. Specifically, two (2) JSESSIONIDs are returned for valid users, and one (1) for invalid users. Solution: Upgrade to Secure Messenger version 6.5 Updated Release 7, or migrate to Axway MailGate 5.2.0 (or later) for the equivalent functionality. Contact: support.axway.com

{"id": "SECURITYVULNS:DOC:28967", "bulletinFamily": "software", "title": "CVE-2012-6452 Axway Secure Messenger Username Disclosure", "description": "\r\n\r\nProduct: Axway Email Firewall\r\nComponent: Secure Messenger\r\nVendor: Axway\r\nVulnerable Version(s): 6.5 and earlier on the Email Firewall (EMF) platform only\r\nTested Version: 6.3.2 (Build 4230)\r\nVendor Notification: December 8, 2012 \r\nVendor Patch: Secure Messenger version 6.5.0 Updated Release 7\r\nPublic Disclosure: January 17, 2013\r\nVulnerability Type: Username Disclosure\r\nCVE Reference: CVE-2012-6452\r\nSolution Status: Fixed by Vendor\r\nCredit: Jason Doyle / FishNet Security\r\n \r\nAdvisory Details:\r\nWhen authenticating to Secure Messenger on Axway's Email Firewall, vulnerable versions return different HTTP header responses for users that exist and users that do not exist when an incorrect password is supplied. Specifically, two (2) JSESSIONIDs are returned for valid users, and one (1) for invalid users.\r\n \r\nSolution:\r\nUpgrade to Secure Messenger version 6.5 Updated Release 7, or migrate to Axway MailGate 5.2.0 (or later) for the equivalent functionality.\r\n \r\nContact:\r\nsupport.axway.com\r\n", "published": "2013-01-21T00:00:00", "modified": "2013-01-21T00:00:00", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}, "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:28967", "reporter": "Securityvulns", "references": [], "cvelist": ["CVE-2012-6452"], "type": "securityvulns", "lastseen": "2018-08-31T11:10:46", "edition": 1, "viewCount": 15, "enchantments": {"score": {"value": 6.5, "vector": "NONE"}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2012-6452"]}, {"type": "securityvulns", "idList": ["SECURITYVULNS:VULN:12838"]}], "rev": 4}, "backreferences": {"references": [{"type": "cve", "idList": ["CVE-2012-6452"]}, {"type": "securityvulns", "idList": ["SECURITYVULNS:VULN:12838"]}]}, "exploitation": null, "vulnersScore": 6.5}, "affectedSoftware": [], "immutableFields": [], "cvss2": {}, "cvss3": {}, "_state": {"dependencies": 1645346071}}

{"securityvulns": [{"lastseen": "2021-06-08T18:48:52", "bulletinFamily": "software", "cvelist": ["CVE-2012-6452"], "description": "Different authentication error codes for existant and non-existant user", "edition": 2, "modified": "2013-01-21T00:00:00", "published": "2013-01-21T00:00:00", "id": "SECURITYVULNS:VULN:12838", "href": "https://vulners.com/securityvulns/SECURITYVULNS:VULN:12838", "title": "Axway Email Firewall information leakage", "type": "securityvulns", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}}], "cve": [{"lastseen": "2022-03-23T13:50:33", "description": "Axway Secure Messenger before 6.5 Updated Release 7, as used in Axway Email Firewall, provides different responses to authentication requests depending on whether the user exists, which allows remote attackers to enumerate users via a series of requests.", "cvss3": {}, "published": "2014-05-27T14:55:00", "type": "cve", "title": "CVE-2012-6452", "cwe": ["CWE-287"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2012-6452"], "modified": "2017-08-29T01:32:00", "cpe": ["cpe:/a:axway:secure_messenger:6.5.0", "cpe:/a:axway:secure_messenger:6.3.2", "cpe:/a:axway:email_firewall:-"], "id": "CVE-2012-6452", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-6452", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}, "cpe23": ["cpe:2.3:a:axway:secure_messenger:6.5.0:*:*:*:*:*:*:*", "cpe:2.3:a:axway:secure_messenger:6.3.2:*:*:*:*:*:*:*", "cpe:2.3:a:axway:email_firewall:-:*:*:*:*:*:*:*"]}]}

CVE-2012-6452 Axway Secure Messenger Username Disclosure

Description

Related