The security team found the following vulnerabilities in Service Desk Manager.
CA Service Desk Manager 17.3 and 17.4
- CWE-522: Insufficiently Protected Credentials
Attacker cannot eavesdrop over the wire to get the user id as the application is over HTTPS and data is transmitted over a secure channel. This is not a hardcoded value in HTML code, but a dynamic value of the current user and it only returns a valid HTML with user data only if the current session is properly authenticated and authorized. This response can be viewed only by a valid user. Moreover this information is displayed in SDM UI, hence our response will contain this information and it cannot be accessed by other unintended user. Hence it is a false positive.
We do not expose any user information as a cookie name or value. It is just a hardcoded value called "loggedUser", used as cookie name. This is not a privacy breach as attacker cannot get any user information out of it.
Moreover, this cookie is set only if "NX_USE_ENCRYPTED_SID_AND_COOKIE" variable value is set to "Yes".
As per the below statement from "Micro Focus", they indeed says it can be false positive and we can confirm that it is not a username that was set.
Hence this vulnerability is also a false positive.