CVE-2020-7196

Name of the Vulnerable Software and Affected Versions HPE BlueData EPIC Software Platform version 4.0 HPE Ezmeral Container Platform version 5.0

Description The issue concerns an insecure method of handling sensitive Kerberos passwords, making them susceptible to unauthorized interception and/or retrieval. Specifically, the kdc admin password is displayed in the source file of the API endpoint "/bdswebui/assignusers/".

Recommendations For HPE BlueData EPIC Software Platform version 4.0, consider restricting access to the "/bdswebui/assignusers/" API endpoint to minimize the risk of exploitation. For HPE Ezmeral Container Platform version 5.0, avoid using the kdc admin password in the affected API endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.