CVE-2019-13023

Vulnerability

All versions of Bond JetSelect, a network segregation application by JetStream, expose RADIUS secrets, WPA passwords, and SNMP strings to non-administrative users by displaying them in HTML password fields. The application relies on client-side obfuscation (changing the input type from text to password) to hide these credentials in the web interface. The affected versions include all releases prior to the fix; the JetSelect instance tested was hosted on Oracle Glassfish middleware [1].

Exploitation

An attacker needs to be a non-administrative user with access to the JetSelect web interface. No elevated privileges or special network position is required beyond typical authenticated access. By using browser developer tools (e.g., inspecting the HTML element or modifying the type attribute from password to text), the credentials become immediately visible. The attack requires no special timing, race condition, or additional system access [1].

Impact

Successful exploitation allows an unauthenticated-level user (non-admin) to read sensitive secrets such as RADIUS shared secrets, WPA passphrases, and SNMP community strings. This constitutes a direct breach of confidentiality for network credentials that could enable lateral movement, network decryption, or further compromise of segregated network segments [1].

Mitigation

The vendor, JetStream, has published patches for this issue, though the specific fixed version number is not disclosed in the available references. Users should update to the latest version of JetSelect from the vendor. No workaround is described, but administrators should ensure all instances are patched. This CVE is not listed on CISA's Known Exploited Vulnerabilities catalog as of the publication date [1].