CVE-2019-13022
CRITICALBond JetSelect - Use of a Broken or Risky Cryptographic Algorithm in Password Generation
Title source: llmDescription
Bond JetSelect (all versions) has an issue in the Java class (ENCtool.jar) and corresponding password generation algorithm (used to set initial passwords upon first installation). It XORs the plaintext into the 'encrypted' password that is then stored within the database. These steps are able to be trivially reversed, allowing for escalation of privilege within the JetSelect application through obtaining the passwords of JetSelect administrators. JetSelect administrators have the ability to modify and delete all networking configuration across a vessel, as well as altering network configuration of all managed network devices (switches, routers).
References (1)
Core 1
Core References
Exploit, Third Party Advisory x_refsource_misc
https://labs.nettitude.com/blog/cve-2019-13021-22-23-jetselect-network-segregation-application/
Scores
CVSS v3
9.8
EPSS
0.0131
EPSS Percentile
66.7%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Details
CWE
CWE-327
Status
published
Products (1)
jetstream/jetselect
Published
May 14, 2020
Tracked Since
Feb 18, 2026