CVE-2019-20457

Published: Nov 7, 2024Modified: Nov 4, 2025

9.1

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

Exploitability: 3.9 / Impact: 5.2

Source: 134c704f-9b21-4f2e-91b3-4a467353bcc0 (Secondary)

Description

An issue was discovered on Brother MFC-J491DW C1806180757 devices. The printer's web-interface password hash can be retrieved without authentication, because the response header of any failed login attempt returns an incomplete authorization cookie. The value of the authorization cookie is the MD5 hash of the password in hexadecimal. An attacker can easily derive the true MD5 hash from this, and use offline cracking attacks to obtain administrative access to the device.

Related CWEs

CWE-276

Incorrect Default Permissions

During installation, installed file permissions are set to allow anyone to modify those files.

References (4)

https://global.brother

Source: cve@mitre.org

https://seclists.org/fulldisclosure/2024/Jul/14

Source: cve@mitre.org

https://support.brother.com/g/s/security/en/index.html

Source: cve@mitre.org

http://seclists.org/fulldisclosure/2024/Jul/14

Source: af854a3a-2127-422b-91ae-364da2661108

Timeline

No history available yet.