Version v7.8.3 - Additional Details
Security
The following items have been addressed:
- 1 - Summary:
- Additional information could be made accessible by leveraging existing authorized access information
- Requirement:
- An authorized user would have to be already logged in with the correct username and password
- An authorized user would have to already be given access to associated items securely stored in the system
- Scope of Impact:
- User would have to already have gained access to an authorized account on the Password Server, as well as have been granted access to secured information
- The access entries would display as usual in Password Server's auditing and history features.
- Status:
- This vulnerability has been fixed in this release.
- Versions Affected: All
- 2 - Summary:
- Information could be modified by leveraging existing authorized access
- Improvements have been made to further safeguard Password Server's secure information
- Requirement:
- An unauthorized user would have to be already logged in with the correct username and password
- An unauthorized user would have to take advantage of detailed internal system information
- Scope of Impact:
- User would have to already have gained access to an authorized account on the Password Server.
- The changes would display as usual in Password Server's auditing and history features.
- Status:
- This vulnerability has been fixed in this release.
- Versions Affected: 7+
- 3 - Summary:
- In a local security context, insufficient output controls could allow an authenticated user opportunity to exploit handling system information, by entering values into the system
- Requirement:
- An unauthorized user (attacker) would have to be already logged in with the correct username and password, to enter values
- Then another authorized user would have to navigate to the same locations in the Password Server Web Client.
- Scope of Impact:
- User would have to already have gained access to an authorized account on the Password Server.
- The entries along with any further activities would display as usual in Password Server's auditing and history features.
- Status:
- This vulnerability has been fixed in this release.
- Versions Affected: 7+
- 4 - Summary:
- In a local security context, the automatic auto-fill of password credentials by browser or browser plugin, could potentially be leveraged by a third-party script running on the same local website domain.
- Additional information could be made accessible by accessing information from one domain and injecting it into another
- Requirement:
- An authorized user would have to have already obtained the correct username and password
- Another third party script would have authorized to run on the same local domain website
- Scope of Impact:
- User would have to already have gained access to an authorized account on the Password Server.
- The entries by the third party would appear to as the original user in the auditing and history features.
- Status:
- This is an issue best addressed by organizational awareness and user behaviour
- The vulnerability has been addressed in part by this release, but browsers and plugins and third-party scripts continue to find new innovative work-arounds.
- Recommendation (optional): to further mitigate this concern Disable Automatic Auto-Fill in your browser(s)
- Versions Affected: All
- 5 - Summary:
- A knowledgeable person with access to a previously accessed and unsecured Password Server machine could leverage information to gain entry into the application.
- Requirement:
- An authorized user would have to have already obtained the correct username and password
- An unauthorized user would have to have access to the machine and detailed system knowledge to leverage application entry information
- Scope of Impact:
- An individual would have to already have gained access to a machine having authorized account access on the Password Server.
- The entry by the individual would appear to as the original user in the auditing and history features.
- Status:
- This vulnerability has been fixed in this release.
- Versions Affected: All
Acknowledgements:
- Pleasant Solutions would like to thank Profundis Labs for their security audit and for their participation and cooperation with us, in protecting our customers.