EIQ-2018-0003



ID

EIQ-2018-0003

(Former ref.: 1801-03)

CVE

-

Description

Password reset code is written to the audit trail

Date

-

Severity

1 - LOW

CVSSv3 score

CVSSv3 score not available on NIST NVD.

Status

images/s/en_GB/7701/d7b403a44466e5e8970db7530201039d865e79e1/_/images/icons/emoticons/check.svg 2.3.2

Assessment

During a user-triggered password reset, the temporary password / one-time-password (OTP) is stored in the audit trail, which is accessible to platform API users.

This creates a window of time where a malicious user could reset the password of another user.

Mitigation

This data will be removed from the audit trail.

Affected versions

Customers using the platform local user management (AD/SAML) are not affected.

Notes

A potential attacker requires an audit trail to reset the password of other resources.

If such an action is performed, it is also captured in the audit trail.

< Back to all security issues and mitigation actions