CVE-2019-18615

Name of the Vulnerable Software and Affected Versions CloudVision Portal (CVP) versions 2018.2 Train

Description The issue concerns the logging of user passwords in plain text under specific conditions for certain API calls. This potentially exposes user passwords. The conditions for this issue include environments where devices have enable mode passwords different from the user's login password, or where configlet builders use the Device class and specify username and password explicitly. The application logs, which contain this sensitive information, are not accessible through the CVP GUI and can only be read by authorized users with privileged access to the VM hosting the CVP application.

Recommendations For CloudVision Portal (CVP) versions 2018.2 Train, consider restricting access to the application logs to minimize the risk of password exposure until a fix is available. As a temporary workaround, review and modify configlet builders to avoid specifying username and password explicitly, and ensure devices do not use enable mode passwords that differ from user login passwords.