CVE Vulnerability

CVE-2019-13022

Bond JetSelect (all versions) has an issue in the Java class (ENCtool.jar) and corresponding password generation algorithm (used to set initial passwords upon first installation). It XORs the plaintext into the 'encrypted' password that is then stored within the database. These steps are able to be trivially reversed, allowing for escalation of privilege within the JetSelect application through obtaining the passwords of JetSelect administrators. JetSelect administrators have the ability to modify and delete all networking configuration across a vessel, as well as altering network configuration of all managed network devices (switches, routers).

10 /10

CVSS v2.0 :

V3 Legend

Vector :

Exploitability : 10 / Impact : 10

Attack Vector

Attack Complexity

Privileges Required

User Interaction

Confidentiality Impact COMPLETE

Integrity Impact COMPLETE

Availability Impact COMPLETE

Scope

9.8 /10

CVSS v3.0 : CRITICAL

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References
Link Resource
https://labs.nettitude.com/blog/cve-2019-13021-22-23-jetselect-network-segregation-application/ Exploit Third Party Advisory
Configurations

Configuration 1

cpe:2.3:a:jetstream:jetselect:*:*:*:*:*:*:*:*
Information

Published : 2020-05-14 05:15

Updated : 2021-07-21 11:39

NVD link : CVE-2019-13022

Mitre link : CVE-2019-13022

Products Affected
No products.
CWE
CWE-327