Trend Micro Password Manager vulnerable to information disclosure


Password Manager provided by Trend Micro Incorporated contains an information disclosure vulnerability (CWE-200).
Under certain conditions, the information ID, password etc. managed by Password Manager are kept on the memory in plaintext. They may be retrieved when the memory scan is done.

Note that this vulnerability is different from JVN#37183636.

BlackWingCat of PinkFlyingWhale reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
CVSS Severity (What is CVSS?)

CVSS V3 Severity:
Base Metrics 5.6 (Medium) [IPA Score]
  • Attack Vector: Local
  • Attack Complexity: High
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Changed
  • Confidentiality Impact: High
  • Integrity Impact: None
  • Availability Impact: None
CVSS V2 Severity:
Base Metrics 1.5 (Low) [IPA Score]
  • Access Vector: Local
  • Access Complexity: Medium
  • Authentication: Single Instance
  • Confidentiality Impact: Partial
  • Integrity Impact: None
  • Availability Impact: None
Affected Products

Trend Micro, Inc.
  • Password Manager for Windows Version and earlier
  • Password Manager for Mac Version and earlier

According to the developer, Password Manager for Android and Password Manager for iOS are not affected by this vulnerability.

Any user of the product or an administrator may scan the memory to obtain sensitive information.

[Update the Software]
Update to the latest version of software according to the information provided by the developer.
The developer informs us that this vulnerability was addressed in Password Manager for Windows Version and Password Manager for Mac Version 5.0.1037.
Vendor Information

Trend Micro, Inc.
CWE (What is CWE?)

  1. Information Exposure(CWE-200) [IPA Evaluation]
CVE (What is CVE?)

  1. CVE-2019-15625

  1. JVN : JVN#49593434
  2. National Vulnerability Database (NVD) : CVE-2019-15625
Revision History

  • [2020/01/17]
      Web page was published