<img height="1" width="1" style="display:none" src="https://www.facebook.com/tr?id=2114085292224199&amp;ev=PageView&amp;noscript=1">

Security Advisory: Knowage Password Hash Disclosure

Posted by David Chadwick - 05 August, 2019

header-picture

Knowage Password Hash Disclosure

Release date: 29/07/2019

Last update: 29/07/2019

Vendor: Knowage-suite

Vendor site: https://www.knowage-suite.com/site/home/

Product: Knowage

Affected version(s): 6.1.1

Remediated version: 6.4

Severity Rating: Low

Impact: Exposure of sensitive information

Attack vector: Remote with authentication

CVE: CVE-2019-13349

 

Details: The application provides the password hashes for users when visiting the user administration page. These hashes can be taken offline to crack and obtain the cleartext password. This requires administrator access, so exploitation is unlikely.

The following link provides a proof of concept, it will provide a list of users and their password hash:

https://<HOST>/knowage/restful-services/2.0/users

 

authbypass-redacted-1

Recommendation: Update to the latest patch.

Discovered by: David Chadwick from Content Security Pty. Ltd.


Recent Posts

Three Types of Security Threats and How to Guard Against Them

read more

How to Manage Security In The New World of Cloud Computing

read more

How to implement largescale IT programs without losing your mind

read more