CVE-ID

CVE-1999-0501

• CVSS Severity Rating • Fix Information • Vulnerable Software Versions • SCAP Mappings • CPE Information
Description
A Unix account has a guessable password.
References
Note: References are provided for the convenience of the reader to help distinguish between vulnerabilities. The list is not intended to be complete.
Assigning CNA
MITRE Corporation
Date Entry Created
19990607 Disclaimer: The entry creation date may reflect when the CVE ID was allocated or reserved, and does not necessarily indicate when this vulnerability was discovered, shared with the affected vendor, publicly disclosed, or updated in CVE.
Phase (Legacy)
Proposed (19990714)
Votes (Legacy)
ACCEPT(3) Baker, Northcutt, Shostack
RECAST(2) Frech, Meunier
REVIEWING(1) Christey
Comments (Legacy)
 Frech> Guessable falls into the class of CVE-1999-0502, since I can guess a
   default, null, etc. password.
   Suggest changing to something like "has an existing non-default password
   that can be guessed."
   I'm also including default passwords in this entry. 
   In that vein, we show the following references:
   XF:user-password
   XF:passwd-username
   XF:default-unix-sync
   XF:default-unix-4dgifts
   XF:default-unix-bin
   XF:default-unix-daemon
   XF:default-unix-lp
   XF:default-unix-me
   XF:default-unix-nuucp
   XF:default-unix-root
   XF:default-unix-toor
   XF:default-unix-tour
   XF:default-unix-tty
   XF:default-unix-uucp
 Christey> This candidate is affected by the CD:CF-PASS content decision,
   which determines the appropriate level of abstraction to
   use for password problems.  CD:CF-PASS needs to be accepted
   by the Editorial Board before this candidate can be
   converted into a CVE entry; the final version of CD:CF-PASS
   may require using a different LOA than this candidate is
   currently using.
 CHANGE> [Meunier changed vote from ACCEPT to RECAST]
 Meunier> This relates only to account password technology, so this candidate is
   independent of the operating system, application, web site or other
   application of this technology.  The appropriate (natural) level of
   abstraction is therefore without specifying that it is for UNIX.
   Change the description to "An account has a guessable password other
   than default, null, blank."  This should satisfy Andre's objection.
   
   This Candidate should be merged with any candidate relating to
   account password technology where "Unix" in the original description
   can be replaced by something else.

Proposed (Legacy)
19990714
This is an entry on the CVE List, which provides common identifiers for publicly known cybersecurity vulnerabilities.