[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: assignment question

On Tue, Dec 11, 2018 at 5:43 PM Art Manion <amanion@cert.org> wrote:

There is some software, part of the installation is a web server/application.  On initial install, the web application is configured with a default password.  Upon first login, the user is required to change the password, create new accounts(s), along with other first-time setup configuration activities.

IOW, if I obtain and install this software and walk away before completing the first-time setup, I've left myself exposed.

Can you set a password in some other way (e.g. feeding it a configuration option/file)? If yes, then you have a safe way to do this. If not I'd say it's CVE worthy. Precent: FreeNAS  CVE-2014-5334


This is *barely* a vulnerability in my book, assuming there are sufficient warnings and documentation informing the user about the need to run the first-time setup.

CVE or no CVE?

In my book, if you CAN do it safely, but pick an unsafe route, no CVE, but if you have no safe route to take, you win a CVE. 


  - Art

My answer is a weak "yes" with as low a severity/priority as possible.

Kurt Seifried

Page Last Updated or Reviewed: December 17, 2018