CVE-2015-0922

McAfee ePolicy Orchestrator (ePO) before 4.6.9 and 5.x before 5.1.2 uses the same secret key across different customers' installations, which allows attackers to obtain the administrator password by leveraging knowledge of the encrypted password.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
5 UNKNOWN
NETWORK
LOW
AV:N/AC:L/Au:N/C:P/I:N/A:N
Base Score
CVSS 3.x
EPSS Score
Percentile: Unknown
Affected Products (NVD)
VendorProductVersion
mcafeeepolicy_orchestrator
𝑥
≤ 4.6.8
mcafeeepolicy_orchestrator
5.0.0
mcafeeepolicy_orchestrator
5.0.1
mcafeeepolicy_orchestrator
5.1.0
mcafeeepolicy_orchestrator
5.1.1
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
http://packetstormsecurity.com/files/129827/McAfee-ePolicy-Orchestrator-Authenticated-XXE-Credential-Exposure.html
http://seclists.org/fulldisclosure/2015/Jan/37
http://seclists.org/fulldisclosure/2015/Jan/8
http://www.securityfocus.com/bid/72298
http://www.securitytracker.com/id/1031519
https://exchange.xforce.ibmcloud.com/vulnerabilities/99949
https://gist.github.com/brandonprry/692e553975bf29aeaf2c
https://kc.mcafee.com/corporate/index?page=content&id=SB10095
http://packetstormsecurity.com/files/129827/McAfee-ePolicy-Orchestrator-Authenticated-XXE-Credential-Exposure.html
http://seclists.org/fulldisclosure/2015/Jan/37
http://seclists.org/fulldisclosure/2015/Jan/8
http://www.securityfocus.com/bid/72298
http://www.securitytracker.com/id/1031519
https://exchange.xforce.ibmcloud.com/vulnerabilities/99949
https://gist.github.com/brandonprry/692e553975bf29aeaf2c
https://kc.mcafee.com/corporate/index?page=content&id=SB10095