VYPR
← All advisories
Unrated severityNVD Advisory· Published May 14, 2020· Updated Aug 4, 2024

CVE-2019-13021

CVE-2019-13021

Description

The administrative passwords for all versions of Bond JetSelect are stored within an unprotected file on the filesystem, rather than encrypted within the MySQL database. This backup copy of the passwords is made as part of the installation script, after the administrator has generated a password using ENCtool.jar (see CVE-2019-13022). This allows any low-privilege user who can read this file to trivially obtain the passwords for the administrative accounts of the JetSelect application. The path to the file containing the encoded password hash is /opt/JetSelect/SFC/resources/sfc-general-properties.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

JetSelect stores admin password hashes in an unprotected file, allowing low-privilege users to read them and obtain administrative credentials.

Vulnerability

In all versions of Bond JetSelect, administrative password hashes are stored in an unprotected file at /opt/JetSelect/SFC/resources/sfc-general-properties rather than encrypted within the MySQL database. During installation, a script (/home/bondit/jsl/3passchange.sh) creates a backup copy (sfc-general-properties.bak) containing the same hashes. This file is readable by any low-privilege user on the system [1].

Exploitation

An attacker with low-privilege access to the filesystem can read the unprotected properties file or its backup. No further authentication or user interaction is required. The file contains the encoded password hashes for all administrative accounts [1].

Impact

By obtaining these password hashes, a low-privilege attacker can leverage CVE-2019-13022 to decrypt them and gain credentials for JetSelect's administrative accounts. This leads to full compromise of the application, including the ability to modify network segregation settings [1].

Mitigation

The vendor JetStream has released a patch. Users should apply the latest version from the vendor. The reference notes that a patching window was allowed for vessels; as of the advisory date, a fix is available [1].

References
  1. CVE-2019-13021, 22, 23: JETSELECT Network Segregation Application

AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

2

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

1

News mentions

0

No linked articles in our index yet.