CVE-2001-0983

Published Aug 31, 2001

Last updated 8 years ago

Overview

Description: UltraEdit uses weak encryption to record FTP passwords in the uedit32.ini file, which allows local users who can read the file to decrypt the passwords and gain privileges.
Source: cve@mitre.org
NVD status: Modified

Hype score: Not currently trending

Risk scores

CVSS 2.0

Type: Primary
Base score: 4.6
Impact score: 6.4
Exploitability score: 3.9
Vector string: AV:L/AC:L/Au:N/C:P/I:P/A:P

Weaknesses

nvd@nist.gov: NVD-CWE-Other

Vendor comments

UltraEditWe include an option, by design, that allows the user to *not* save the password, and instead enter the password on a per FTP session basis. This would provide the highest level of security. If the user decides to have UltraEdit save the FTP password in the INI, it is encrypted for the benefit of the user moving their settings from one system to another. However, even with the highest level of encryption of the saved password, if the user decides to save their password in the INI, there will always be a level of vulnerability as a result of the users decision to save the password.

Configurations

[
  {
    "nodes": [
      {
        "negate": false,
        "cpeMatch": [
          {
            "criteria": "cpe:2.3:a:ultraedit:ultraedit-32:*:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "9C7A9247-740B-4D28-B8CD-29013001E1E6"
          }
        ],
        "operator": "OR"
      }
    ]
  }
]

Overview

Social media

Risk scores

CVSS 2.0

Weaknesses

Vendor comments

Configurations

References