Vulnerability CVE-2014-0103 - CERT Civis.Net

Vulnerability Name:

CVE-2014-0103 (CCN-94103)

Assigned:

2013-12-03

Published:

2014-06-30

Updated:

2015-11-04

Summary:

WebAccess in Zarafa before 7.1.10 and WebApp before 1.6 stores credentials in cleartext, which allows local Apache users to obtain sensitive information by reading the PHP session files.

CVSS v3 Severity:

4.0 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)

Exploitability Metrics:	Attack Vector (AV): Local Attack Complexity (AC): Low Privileges Required (PR): None User Interaction (UI): None
Scope:	Scope (S): Unchanged
Impact Metrics:	Confidentiality (C): Low Integrity (I): None Availibility (A): None

CVSS v2 Severity:

2.1 Low (CVSS v2 Vector: AV:L/AC:L/Au:N/C:P/I:N/A:N)
1.6 Low (Temporal CVSS v2 Vector: AV:L/AC:L/Au:N/C:P/I:N/A:N/E:U/RL:OF/RC:C)

Exploitability Metrics:	Access Vector (AV): Local Access Complexity (AC): Low Authentication (Au): None
Impact Metrics:	Confidentiality (C): Partial Integrity (I): None Availibility (A): None

2.1 Low (CCN CVSS v2 Vector: AV:L/AC:L/Au:N/C:P/I:N/A:N)
1.6 Low (CCN Temporal CVSS v2 Vector: AV:L/AC:L/Au:N/C:P/I:N/A:N/E:U/RL:OF/RC:C)

Exploitability Metrics:	Access Vector (AV): Local Access Complexity (AC): Low Athentication (Au): None
Impact Metrics:	Confidentiality (C): Partial Integrity (I): None Availibility (A): None

Vulnerability Type:

Vulnerability Consequences:

Obtain Information

References:

Source: CONFIRM
Type: UNKNOWN
http://advisories.mageia.org/MGASA-2014-0380.html

Source: MITRE
Type: CNA
CVE-2014-0103

Source: FEDORA
Type: UNKNOWN
FEDORA-2014-7896

Source: FEDORA
Type: UNKNOWN
FEDORA-2014-7889

Source: CCN
Type: oss-security Mailing List, Mon 30 Jun 2014
CVE-2014-0103: Zarafa WebAccess/WebApp store passwords in cleartext on server

Source: CCN
Type: oss-security Mailing List, Mon, 25 Aug 2014 13:09:29 -0400 (EDT)
Re: CVE request: Multiple incorrect default permissions in Zarafa

Source: MANDRIVA
Type: UNKNOWN
MDVSA-2014:182

Source: BID
Type: UNKNOWN
68247

Source: CCN
Type: BID-68247
Zarafa WebAccess and WebApp Local Information Disclosure Vulnerability

Source: CCN
Type: Zarafa Web site
WebAccess and WebApp

Source: CONFIRM
Type: UNKNOWN
https://bugzilla.redhat.com/show_bug.cgi?id=1073618

Source: XF
Type: UNKNOWN
zarafa-cve20140103-info-disc(94103)

Vulnerable Configuration:

Configuration 1:

cpe:/a:zarafa:webapp:*:*:*:*:*:*:*:* (Version <= 1.5)

OR cpe:/a:zarafa:zarafa:7.0:*:*:*:*:*:*:*

OR cpe:/a:zarafa:zarafa:7.0.1:*:*:*:*:*:*:*

OR cpe:/a:zarafa:zarafa:7.0.2:*:*:*:*:*:*:*

OR cpe:/a:zarafa:zarafa:7.0.3:*:*:*:*:*:*:*

OR cpe:/a:zarafa:zarafa:7.0.4:*:*:*:*:*:*:*

OR cpe:/a:zarafa:zarafa:7.0.5:*:*:*:*:*:*:*

OR cpe:/a:zarafa:zarafa:7.0.6:*:*:*:*:*:*:*

OR cpe:/a:zarafa:zarafa:7.0.7:*:*:*:*:*:*:*

OR cpe:/a:zarafa:zarafa:7.0.8:*:*:*:*:*:*:*

OR cpe:/a:zarafa:zarafa:7.0.9:*:*:*:*:*:*:*

OR cpe:/a:zarafa:zarafa:7.0.10:*:*:*:*:*:*:*

OR cpe:/a:zarafa:zarafa:7.0.11:*:*:*:*:*:*:*

OR cpe:/a:zarafa:zarafa:7.0.12:*:*:*:*:*:*:*

OR cpe:/a:zarafa:zarafa:7.0.13:*:*:*:*:*:*:*

OR cpe:/a:zarafa:zarafa:7.1.0:*:*:*:*:*:*:*

OR cpe:/a:zarafa:zarafa:7.1.1:*:*:*:*:*:*:*

OR cpe:/a:zarafa:zarafa:7.1.2:*:*:*:*:*:*:*

OR cpe:/a:zarafa:zarafa:7.1.3:*:*:*:*:*:*:*

OR cpe:/a:zarafa:zarafa:7.1.4:*:*:*:*:*:*:*

OR cpe:/a:zarafa:zarafa:7.1.8:*:*:*:*:*:*:*

OR cpe:/a:zarafa:zarafa:*:*:*:*:*:*:*:* (Version <= 7.1.9)

OR cpe:/o:fedoraproject:fedora:19:*:*:*:*:*:*:*

OR cpe:/o:fedoraproject:fedora:20:*:*:*:*:*:*:*

Configuration CCN 1:

cpe:/a:zarafa:webapp:1.5:*:*:*:*:*:*:*

Denotes that component is vulnerable