The Symantec Management Center REST API is susceptible to an information disclosure vulnerability. A malicious authenticated user can obtain passwords for external backup and CPL policy import servers that they might not otherwise be authorized to access.
CVE |Supported Version(s)|Remediation
CVE-2019-9697 | 2.0, 2.1 | Upgrade to later release with fixes.
2.2 | Upgrade to 2.2.2.1.
2.3 | Not vulnerable, fixed
Severity / CVSSv3 | Medium / 6.5 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N) References| SecurityFocus: BID 109828 / NVD: CVE-2019-9697 Impact| Information disclosure Description | An information disclosure vulnerability in the MC REST API allows a malicious authenticated user to obtain passwords for external backup and CPL policy import servers that they might not otherwise be authorized to access.
This vulnerability has security impact only when MC is configured with multiple users. The first authenticated administrator can configure the external server passwords on MC. The second, malicious, administrator or view-only user might not be authorized to access the external servers, but can obtain the passwords through the MC REST API.
2019-08-27 initial public release
CPE | Name | Operator | Version |
---|---|---|---|
management center (mc) | eq | 2 | |
management center (mc) | eq | 2 | |
management center (mc) | eq | 2 | |
management center (mc) | eq | 2 |