CVE-2019-13021
MEDIUMjetstream jetselect - Cleartext Storage of Sensitive Information in Installation Script
Title source: llmDescription
The administrative passwords for all versions of Bond JetSelect are stored within an unprotected file on the filesystem, rather than encrypted within the MySQL database. This backup copy of the passwords is made as part of the installation script, after the administrator has generated a password using ENCtool.jar (see CVE-2019-13022). This allows any low-privilege user who can read this file to trivially obtain the passwords for the administrative accounts of the JetSelect application. The path to the file containing the encoded password hash is /opt/JetSelect/SFC/resources/sfc-general-properties.
References (1)
Core 1
Core References
Exploit, Third Party Advisory x_refsource_misc
https://labs.nettitude.com/blog/cve-2019-13021-22-23-jetselect-network-segregation-application/
Scores
CVSS v3
6.5
EPSS
0.0060
EPSS Percentile
44.2%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Details
CWE
CWE-312
Status
published
Products (1)
jetstream/jetselect
Published
May 14, 2020
Tracked Since
Feb 18, 2026