CVE-2024-10404: Clear text password seen in switch-asset-collectors-mw in Brocade SANnav supportsave
Description
CalInvocationHandler in Brocade
SANnav before 2.3.1b logs sensitive information in clear text. The
vulnerability could allow an authenticated, local attacker to view
Brocade Fabric OS switch sensitive information in clear text. An
attacker with administrative privileges could retrieve sensitive
information including passwords; SNMP responses that contain AuthSecret
and PrivSecret after collecting a “supportsave” or getting access to an
already collected “supportsave”. NOTE: this issue exists because of an incomplete fix for CVE-2024-29952
Classification
CVE ID: CVE-2024-10404
CVSS Base Severity: MEDIUM
CVSS Base Score: 5.5
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:C/C:H/I:N/A:N
Affected Products
Vendor: Brocade
Product: Brocade SANnav
Exploit Prediction Scoring System (EPSS)
EPSS Score: 0.04% (probability of being exploited)
EPSS Percentile: 11.99% (scored less or equal to compared to others)
EPSS Date: 2025-03-15 (when was this score calculated)