PT-2019-15945 · Neuvector · Neuvector

Published

2019-12-20

Updated

2020-01-03

CVE-2019-19747

CVSS v3.1

9.8

Critical

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions NeuVector version 3.1

Description The issue allows an attacker with access to the NeuVector portal to authenticate as any valid LDAP user by providing a valid username and an empty password, given that the Active Directory server has not been configured to reject empty passwords. This occurs when NeuVector is configured to allow authentication via Active Directory.

Recommendations For NeuVector version 3.1, consider configuring the Active Directory server to reject empty passwords as a mitigation measure. Additionally, restrict access to the NeuVector portal to minimize the risk of exploitation.

Exploit

Fix

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-521

Related Identifiers

CVE-2019-19747

Affected Products

Neuvector

PT-2019-15945 · Neuvector · Neuvector

CVE-2019-19747

Weakness Enumeration

Related Identifiers

Affected Products

References · 4