Do vulnerabilities CWE-522 and CWE-359 affect Service Desk Manager?
search cancel

Do vulnerabilities CWE-522 and CWE-359 affect Service Desk Manager?

book

Article ID: 274843

calendar_today

Updated On:

Products

CA Service Management - Service Desk Manager CA Service Desk Manager

Issue/Introduction

The security team found the following vulnerabilities in Service Desk Manager. 

- CWE-522: Insufficiently Protected Credentials

- CWE-359: Privacy Violation

Environment

CA Service Desk Manager 17.3 and 17.4

Resolution

- CWE-522: Insufficiently Protected Credentials

Attacker cannot eavesdrop over the wire to get the user id as the application is over HTTPS and data is transmitted over a secure channel. This is not a hardcoded value in HTML code, but a dynamic value of the current user and it only returns a valid HTML with user data only if the current session is properly authenticated and authorized. This response can be viewed only by a valid user. Moreover this information is displayed in SDM UI, hence our response will contain this information and it cannot be accessed by other unintended user. Hence it is a false positive.

- CWE-359: Privacy Violation

We do not expose any user information as a cookie name or value. It is just a hardcoded value called "loggedUser", used as cookie name. This is not a privacy breach as attacker cannot get any user information out of it.

Moreover, this cookie is set only if "NX_USE_ENCRYPTED_SID_AND_COOKIE" variable value is set to "Yes".

As per the below statement from "Micro Focus", they indeed says it can be false positive and we can confirm that it is not a username that was set. 

Hence this vulnerability is also a false positive.