Brocade SANnav before v2.2.1 logs usernames and encoded passwords in debug-enabled logs

Vulnerability

Brocade SANnav versions before v2.2.1 log usernames and encoded passwords in debug-enabled logs. This occurs when debug logging is enabled, which is an administrative configuration. The affected product is Brocade SANnav, and the issue was identified internally by Broadcom.

Exploitation

An attacker with administrative privilege can exploit this vulnerability by accessing the debug logs where usernames and encoded passwords are stored. No user interaction or additional privileges are required beyond admin access to the system.

Impact

Successful exploitation allows an attacker to read usernames and encoded passwords. While the passwords are encoded, they may be susceptible to decoding or brute-force attacks, leading to further compromise. This results in high confidentiality impact and low integrity impact, as per CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:L/A:N.

Mitigation

The vulnerability is fixed in Brocade SANnav version 2.2.1, released as per the advisory [1]. Users should upgrade to v2.2.1 or later. No workarounds are documented, and the CVE is not currently on the known exploited vulnerabilities (KEV) list.