CVE-2024-10404 MEDIUM

CVE-2024-10404: Clear text password seen in switch-asset-collectors-mw in Brocade SANnav supportsave

Vendor Brocade
Product Brocade SANnav
Weakness CWE-312 · Cleartext storage
Published February 14, 2025
Last update February 14, 2025

CVSS base score

5.5/10
Attack vector Local
Attack complexity Low
Privileges required High
User interaction Required
Confidentiality High
Integrity None

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:C/C:H/I:N/A:N

What the vulnerability does

01Description

CalInvocationHandler in Brocade SANnav before 2.3.1b logs sensitive information in clear text. The vulnerability could allow an authenticated, local attacker to view Brocade Fabric OS switch sensitive information in clear text. An attacker with administrative privileges could retrieve sensitive information including passwords; SNMP responses that contain AuthSecret and PrivSecret after collecting a “supportsave” or getting access to an already collected “supportsave”. NOTE: this issue exists because of an incomplete fix for CVE-2024-29952

Key dates

02Disclosure timeline

February 14, 2025 CVE published
February 14, 2025 Record updated