|
[Japanese]
|
JVNDB-2020-000004
|
Trend Micro Password Manager vulnerable to information disclosure
|
|
Password Manager provided by Trend Micro Incorporated contains an information disclosure vulnerability (CWE-200).
Under certain conditions, the information ID, password etc. managed by Password Manager are kept on the memory in plaintext. They may be retrieved when the memory scan is done.
Note that this vulnerability is different from JVN#37183636.
BlackWingCat of PinkFlyingWhale reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
|
|
CVSS V3 Severity:
Base Metrics 5.6 (Medium) [IPA Score]
- Attack Vector: Local
- Attack Complexity: High
- Privileges Required: Low
- User Interaction: None
- Scope: Changed
- Confidentiality Impact: High
- Integrity Impact: None
- Availability Impact: None
CVSS V2 Severity:
Base Metrics 1.5 (Low) [IPA Score]
- Access Vector: Local
- Access Complexity: Medium
- Authentication: Single Instance
- Confidentiality Impact: Partial
- Integrity Impact: None
- Availability Impact: None
|
|
|
Trend Micro, Inc.
- Password Manager for Windows Version 3.8.0.1103 and earlier
- Password Manager for Mac Version 3.8.0.1052 and earlier
|
According to the developer, Password Manager for Android and Password Manager for iOS are not affected by this vulnerability.
|
|
Any user of the product or an administrator may scan the memory to obtain sensitive information.
|
|
[Update the Software]
Update to the latest version of software according to the information provided by the developer.
The developer informs us that this vulnerability was addressed in Password Manager for Windows Version 5.0.0.1058 and Password Manager for Mac Version 5.0.1037.
|
|
Trend Micro, Inc.
|
|
- Information Exposure(CWE-200) [IPA Evaluation]
|
|
- CVE-2019-15625
|
|
- JVN : JVN#49593434
- National Vulnerability Database (NVD) : CVE-2019-15625
|
|
- [2020/01/17]
Web page was published
|
