EIQ-2018-0003
ID |
EIQ-2018-0003 (Former ref.: 1801-03) |
CVE |
- |
Description |
Password reset code is written to the audit trail |
Date |
- |
Severity |
1 - LOW |
CVSSv3 score |
CVSSv3 score not available on NIST NVD. |
Status |
2.3.2 |
Assessment |
During a user-triggered password reset, the temporary password / one-time-password (OTP) is stored in the audit trail, which is accessible to platform API users. This creates a window of time where a malicious user could reset the password of another user. |
Mitigation |
This data will be removed from the audit trail. |
Affected versions |
Customers using the platform local user management (AD/SAML) are not affected. |
Notes |
A potential attacker requires an audit trail to reset the password of other resources. If such an action is performed, it is also captured in the audit trail. |