Guest

Preview Tool

Cisco Bug: CSCvv68306 - EPNM5.0: Passwd in clear text without encrypt of SFTP in General Report Page

Last Modified

Sep 30, 2020

Products (1)

  • Network Level Service

Known Affected Releases

4.0(0.0) 5.0(0.0.110)

Description (partial)

Symptom:
In 5.0 I110A build 685, I see a potential security issue in EPNM GUI / Administration / Settings / System Settings / General / Report page below, if I append a space after the existing passwd in Password field then click save, in the pop-up msg it will display the password explicitly, a clear text, I don’t think we shall have any exception for any password to be displayed without encryption from GUI.

Let me give a scenario here: if I don’t know what’s the passwd of this External Server (SFTP) I just need go to this page to give a space at the end of existing password, click Save then I can hack the passwd easily.

Also reproduced in 4.1 and 4.0 FCS.

Conditions:
In 5.0 I110A build 685, I see a potential security issue in EPNM GUI / Administration / Settings / System Settings / General / Report page below, if I append a space after the existing passwd in Password field then click save, in the pop-up msg it will display the password explicitly, a clear text, I don’t think we shall have any exception for any password to be displayed without encryption from GUI.

Let me give a scenario here: if I don’t know what’s the passwd of this External Server (SFTP) I just need go to this page to give a space at the end of existing password, click Save then I can hack the passwd easily.
Bug details contain sensitive information and therefore require a Cisco.com account to be viewed.

Bug Details Include

  • Full Description (including symptoms, conditions and workarounds)
  • Status
  • Severity
  • Known Fixed Releases
  • Related Community Discussions
  • Number of Related Support Cases
Bug information is viewable for customers and partners who have a service contract. Registered users can view up to 200 bugs per month without a service contract.