PT-2007-5496 · Ibm · Ibm Lotus Notes

Published

2007-08-13

Updated

2008-09-05

CVE-2007-4309

CVSS v2.0

3.5

Low

Vector

AV:N/AC:M/Au:S/C:P/I:N/A:N

Name of the Vulnerable Software and Affected Versions IBM Lotus Notes versions 5.x through 7.0.2

Description The issue allows user-assisted remote authenticated administrators to obtain a cleartext notes.id password. This is achieved by setting the notes.ini KFM ShowEntropy and Debug Outfile debug variables.

Recommendations For IBM Lotus Notes versions 5.x through 7.0.2, consider restricting access to the notes.ini file to prevent unauthorized setting of the KFM ShowEntropy and Debug Outfile variables until a fix is available. As a temporary workaround, limit the use of debug variables to minimize the risk of exploitation.

Fix

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Related Identifiers

CVE-2007-4309

Affected Products

Ibm Lotus Notes

PT-2007-5496 · Ibm · Ibm Lotus Notes

CVE-2007-4309

Related Identifiers

Affected Products

References · 5