CVE-2019-4693

Vulnerability

IBM Guardium Data Encryption (GDE) version 3.0.0.2 stores user credentials in plain clear text that can be read by a local privileged user [1]. The vulnerability is identified by CVE-2019-4693 and affects the GDE 3.0.0.2 release [1].

Exploitation

An attacker must have local privileged access to the system running GDE 3.0.0.2 to read the stored credentials [1]. No user interaction is required beyond obtaining local privileged access. The attacker can then directly access the files or configuration storage where credentials are held in plaintext.

Impact

A successful attacker can read user credentials stored in plaintext, leading to a compromise of confidentiality. The scope of the impact is changed from the vulnerable component according to the CVSS vector (CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N), indicating that the attacker gains access to credentials that may be used to access other potentially more privileged resources.

Mitigation

IBM has fixed this vulnerability in Guardium Data Encryption (GDE) version 4.0.0.0 [1]. Users should upgrade to GDE 4.0.0.0 or later to remediate the issue. No workarounds are mentioned in the available references.