PT-2019-17788 · Bluecats · Bluecats Reveal

Rapid7 Researcher

Published

2019-05-22

Updated

2020-10-16

CVE-2019-5627

CVSS v3.1

7.8

High

Vector

AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions BlueCats Reveal versions prior to 5.14

Description The issue allows an attacker to compromise the affected BlueCats network implementation by accessing the username and password stored in the app cache as base64 encoded strings, essentially clear text, even after the user logs out. To exploit this, an attacker would first need to gain physical control of the iOS device or compromise it with a malicious app.

Recommendations For versions prior to 5.14, update to version 5.14 or later to resolve the issue. As a temporary workaround, consider restricting access to sensitive data and the BlueCats network implementation until the update can be applied.

Exploit

Fix

Insufficiently Protected Credentials

Insecure Storage of Sensitive Information

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-522CWE-922

Related Identifiers

CVE-2019-5627

Affected Products

Bluecats Reveal

PT-2019-17788 · Bluecats · Bluecats Reveal

CVE-2019-5627

Weakness Enumeration

Related Identifiers

Affected Products

References · 4