CVE-2018-16791

Published: Dec 5, 2018Modified: Nov 21, 2024

9.8

Vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Exploitability: 3.9 / Impact: 5.9

Source: NVD

Description

In SolarWinds SFTP/SCP Server through 2018-09-10, the configuration file is world readable and writable, and stores user passwords in an insecure manner, allowing an attacker to determine passwords for potentially privileged accounts. This also grants the attacker an ability to backdoor the server.

Affected (1)

Products: Solarwinds: Sftp/scp Server

1 product

Sftp/scp Server

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Solarwinds Sftp/scp Server	Up to 20180910

Related CWEs

Insufficiently Protected Credentials

The product transmits or stores authentication credentials, but it uses an insecure method that is susceptible to unauthorized interception and/or retrieval.

References (2)

https://seclists.org/fulldisclosure/2018/Dec/0

Source: cve@mitre.org

Mailing ListThird Party Advisory

https://seclists.org/fulldisclosure/2018/Dec/0

Source: af854a3a-2127-422b-91ae-364da2661108

Mailing ListThird Party Advisory

Timeline

No history available yet.