Cisco FMC Password Reset Disclosure Vulnerability (CVE-2024-20388)
CVE-2024-20388 Published on October 23, 2024
A vulnerability in the password change feature of Cisco Firepower Management Center (FMC) software could allow an unauthenticated, remote attacker to determine valid user names on an affected device. This vulnerability is due to improper authentication of password update responses. An attacker could exploit this vulnerability by forcing a password reset on an affected device. A successful exploit could allow the attacker to determine valid user names in the unauthenticated response to a forced password reset.
Vulnerability Analysis
CVE-2024-20388 is exploitable with network access, and does not require authorization privileges or user interaction. This vulnerability is considered to have a low attack complexity. The potential impact of an exploit of this vulnerability is considered to have a small impact on confidentiality, a small impact on integrity and availability.
Weakness Type
Exposure of Sensitive Information Through Data Queries
When trying to keep information confidential, an attacker can often infer some of the information by using statistics. In situations where data should not be tied to individual users, but a large number of users should be able to make queries that "scrub" the identity of users, it may be possible to get information about a user -- e.g., by specifying search terms that are known to be unique to that user.
Products Associated with CVE-2024-20388
You can be notified by email with stack.watch whenever vulnerabilities like CVE-2024-20388 are published in these products:
Affected Versions
Cisco Firepower Management Center:- Version 6.2.3 is affected.
- Version 6.2.3.1 is affected.
- Version 6.2.3.2 is affected.
- Version 6.2.3.3 is affected.
- Version 6.2.3.4 is affected.
- Version 6.2.3.5 is affected.
- Version 6.2.3.6 is affected.
- Version 6.2.3.7 is affected.
- Version 6.2.3.9 is affected.
- Version 6.2.3.10 is affected.
- Version 6.2.3.11 is affected.
- Version 6.2.3.12 is affected.
- Version 6.2.3.13 is affected.
- Version 6.2.3.14 is affected.
- Version 6.2.3.15 is affected.
- Version 6.2.3.8 is affected.
- Version 6.2.3.16 is affected.
- Version 6.2.3.17 is affected.
- Version 6.2.3.18 is affected.
- Version 6.4.0 is affected.
- Version 6.4.0.1 is affected.
- Version 6.4.0.3 is affected.
- Version 6.4.0.2 is affected.
- Version 6.4.0.4 is affected.
- Version 6.4.0.5 is affected.
- Version 6.4.0.6 is affected.
- Version 6.4.0.7 is affected.
- Version 6.4.0.8 is affected.
- Version 6.4.0.9 is affected.
- Version 6.4.0.10 is affected.
- Version 6.4.0.11 is affected.
- Version 6.4.0.12 is affected.
- Version 6.4.0.13 is affected.
- Version 6.4.0.14 is affected.
- Version 6.4.0.15 is affected.
- Version 6.4.0.16 is affected.
- Version 6.4.0.17 is affected.
- Version 6.4.0.18 is affected.
- Version 6.6.0 is affected.
- Version 6.6.0.1 is affected.
- Version 6.6.1 is affected.
- Version 6.6.3 is affected.
- Version 6.6.4 is affected.
- Version 6.6.5 is affected.
- Version 6.6.5.1 is affected.
- Version 6.6.5.2 is affected.
- Version 6.6.7 is affected.
- Version 6.6.7.1 is affected.
- Version 6.6.7.2 is affected.
- Version 6.7.0 is affected.
- Version 6.7.0.1 is affected.
- Version 6.7.0.2 is affected.
- Version 6.7.0.3 is affected.
- Version 7.0.0 is affected.
- Version 7.0.0.1 is affected.
- Version 7.0.1 is affected.
- Version 7.0.1.1 is affected.
- Version 7.0.2 is affected.
- Version 7.0.2.1 is affected.
- Version 7.0.3 is affected.
- Version 7.0.4 is affected.
- Version 7.0.5 is affected.
- Version 7.0.6 is affected.
- Version 7.0.6.1 is affected.
- Version 7.0.6.2 is affected.
- Version 7.1.0 is affected.
- Version 7.1.0.1 is affected.
- Version 7.1.0.2 is affected.
- Version 7.1.0.3 is affected.
- Version 7.2.0 is affected.
- Version 7.2.1 is affected.
- Version 7.2.2 is affected.
- Version 7.2.0.1 is affected.
- Version 7.2.3 is affected.
- Version 7.2.3.1 is affected.
- Version 7.2.4 is affected.
- Version 7.2.4.1 is affected.
- Version 7.2.5 is affected.
- Version 7.2.5.1 is affected.
- Version 7.2.6 is affected.
- Version 7.2.7 is affected.
- Version 7.2.5.2 is affected.
- Version 7.2.8 is affected.
- Version 7.2.8.1 is affected.
- Version 7.3.0 is affected.
- Version 7.3.1 is affected.
- Version 7.3.1.1 is affected.
- Version 7.3.1.2 is affected.
- Version 7.4.0 is affected.
- Version 7.4.1 is affected.
- Version 7.4.1.1 is affected.
- Version 6.6.5.1 is affected.
- Version 6.6.7 is affected.
- Version 6.4.0.4 is affected.
- Version 6.4.0.10 is affected.
- Version 6.4.0.12 is affected.
- Version 6.4.0.14 is affected.
- Version 6.4.0.16 is affected.
- Version 6.4.0.18 is affected.
- Version 6.7.0.2 is affected.
- Version 7.1.0.1 is affected.
- Version 7.1.0.3 is affected.
- Version 7.2.2 is affected.
- Version 7.4.1 is affected.
- Version 6.2.3, <= 6.2.3.18 is affected.
- Version 6.4.0, <= 6.4.0.18 is affected.
- Version 6.6.0, <= 6.6.7.2 is affected.
- Version 6.7.0, <= 6.7.0.3 is affected.
- Version 7.0.0, <= 7.0.6.2 is affected.
- Version 7.1.0, <= 7.1.0.3 is affected.
- Version 7.2.0, <= 7.2.8.1 is affected.
- Version 7.3.0, <= 7.3.1.2 is affected.
- Version 7.4.0, <= 7.4.1.1 is affected.
- Version 6.4.0.4, <= 6.4.0.18 is affected.
- Version 6.6.5.1, <= 6.6.7 is affected.
- Version 6.7.0.2 is affected.
- Version 7.1.0.1, <= 7.1.0.3 is affected.
- Version 7.2.2 is affected.
- Version 7.4.1 is affected.
Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.