Vulnerability Details : CVE-2017-18486
Jitbit Helpdesk before 9.0.3 allows remote attackers to escalate privileges because of mishandling of the User/AutoLogin userHash parameter. By inspecting the token value provided in a password reset link, a user can leverage a weak PRNG to recover the shared secret used by the server for remote authentication. The shared secret can be used to escalate privileges by forging new tokens for any user. These tokens can be used to automatically log in as the affected user.
Products affected by CVE-2017-18486
- cpe:2.3:a:jitbit:helpdesk:*:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2017-18486
4.84%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 93 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2017-18486
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
6.5
|
MEDIUM | AV:N/AC:L/Au:S/C:P/I:P/A:P |
8.0
|
6.4
|
NIST | |
7.2
|
HIGH | CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H |
1.2
|
5.9
|
NIST |
CWE ids for CVE-2017-18486
-
The lack of entropy available for, or used by, a Pseudo-Random Number Generator (PRNG) can be a stability and security threat.Assigned by: nvd@nist.gov (Primary)
References for CVE-2017-18486
-
https://github.com/Kc57/JitBit_Helpdesk_Auth_Bypass
GitHub - Kc57/JitBit_Helpdesk_Auth_Bypass: Utility to derive the shared secret on a JitBit Helpdesk install which can be used for authentication bypass (CVE-2017-18486)Exploit;Third Party Advisory
-
https://packetstormsecurity.com/files/144334/JitBit-Helpdesk-9.0.2-Broken-Authentication.html
JitBit Helpdesk 9.0.2 Broken Authentication ≈ Packet StormThird Party Advisory;VDB Entry
-
https://www.exploit-db.com/exploits/42776
JitBit HelpDesk < 9.0.2 - Authentication BypassExploit;Third Party Advisory;VDB Entry
-
https://www.trustedsec.com/2017/09/full-disclosure-jitbit-helpdesk-authentication-bypass-0-day
Full Disclosure: JitBit Helpdesk Authentication Bypass 0-Day - TrustedSecThird Party Advisory
Jump to