Vulnerability Description
NeuVector 3.1 when configured to allow authentication via Active Directory, does not enforce non-empty passwords which allows an attacker with access to the Neuvector portal to authenticate as any valid LDAP user by providing a valid username and an empty password (provided that the active directory server has not been configured to reject empty passwords).
CVSS Score
CRITICAL
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Neuvector | Neuvector | <= 3.1 |
Related Weaknesses (CWE)
References
- https://neuvector.com/container-security/blog/Vendor Advisory
- https://paulrobertson.co.za/cve-2019-19747/ExploitThird Party Advisory
- https://neuvector.com/container-security/blog/Vendor Advisory
- https://paulrobertson.co.za/cve-2019-19747/ExploitThird Party Advisory
FAQ
What is CVE-2019-19747?
CVE-2019-19747 is a vulnerability with a CVSS score of 9.8 (CRITICAL). NeuVector 3.1 when configured to allow authentication via Active Directory, does not enforce non-empty passwords which allows an attacker with access to the Neuvector portal to authenticate as any val...
How severe is CVE-2019-19747?
CVE-2019-19747 has been rated CRITICAL with a CVSS base score of 9.8/10. This is considered a critical vulnerability requiring immediate attention.
Is there a patch for CVE-2019-19747?
Check the references section above for vendor advisories and patch information. Affected products include: Neuvector Neuvector.