Vulnerability Note VU#547167
CollabNet ScrumWorks Basic Server transmits credential information in plaintext
Overview
Communication between the Collabnet ScrumWorks Basic Server and CollabNet ScrumWorks Desktop Client transmits credential information in plaintext.
Description
The communication between the CollabNet ScrumWorks Basic Server and CollabNet ScrumWorks Desktop Client is transmitting credential information in plaintext. The CollabNet ScrumWorks Basic Server communicates with the CollabNet ScrumWorks Desktop Client using unencrypted java objects. These unencrypted java objects contain the username and password of the active user or (by calling specific functions) all users on the CollabNet ScrumWorks Basic Server. An additional vulnerability exists in CollabNet ScrumWorks where the ScrumWorks Basic Server stores unencrypted client username and passwords in its internal database. |
Impact
An attacker could view the credentials of the active client or all of the authenticated client's username and password hashs using a packet capturing tool. |
Solution
CollabNet has stated to CERT that the client passwords are encrypted in CollabNet ScrumWorks Pro, and there are no plans for adding an encryption feature into CollabNet ScrumWorks Basic. CollabNet ScrumWorks Basic should not be used for sensitive data. |
Restrict access |
Vendor Information (Learn More)
| Vendor | Status | Date Notified | Date Updated |
|---|---|---|---|
| CollabNet | Affected | 20 Dec 2010 | 17 Jan 2011 |
CVSS Metrics (Learn More)
| Group | Score | Vector |
|---|---|---|
| Base | N/A | N/A |
| Temporal | N/A | N/A |
| Environmental | N/A | N/A |
References
- None
Credit
Thanks to David Elze from Daimler TSS Technical Security for reporting this vulnerability.
This document was written by Michael Orlando.
Other Information
- CVE IDs: CVE-2011-0410
- Date Public: 21 Jan 2011
- Date First Published: 21 Jan 2011
- Date Last Updated: 21 Jan 2011
- Severity Metric: 14.40
- Document Revision: 21
Feedback
If you have feedback, comments, or additional information about this vulnerability, please send us email.
View Notes By
Report a Vulnerability
Please use the Vulnerability Reporting Form to report a vulnerability. Alternatively, you can send us email. Be sure to read our vulnerability disclosure policy.