{"dataType":"CVE_RECORD","dataVersion":"5.1","cveMetadata":{"cveId":"CVE-2024-6890","assignerOrgId":"bbf0bd87-ece2-41be-b873-96928ee8fab9","state":"PUBLISHED","assignerShortName":"KoreLogic","dateReserved":"2024-07-18T19:25:47.090Z","datePublished":"2024-08-07T23:09:40.249Z","dateUpdated":"2024-08-08T13:28:52.446Z"},"containers":{"cna":{"affected":[{"defaultStatus":"unaffected","platforms":["Linux"],"product":"Journyx (jtime)","vendor":"Journyx","versions":[{"status":"affected","version":"11.5.4"}]}],"credits":[{"lang":"en","type":"finder","value":"Jaggar Henry of KoreLogic, Inc."}],"datePublic":"2024-08-07T23:05:00.000Z","descriptions":[{"lang":"en","supportingMedia":[{"base64":false,"type":"text/html","value":"<pre>Password reset tokens are generated using an insecure source of randomness. Attackers who know the username of the Journyx installation user can bruteforce the password reset and change the administrator password.</pre><br>"}],"value":"Password reset tokens are generated using an insecure source of randomness. Attackers who know the username of the Journyx installation user can bruteforce the password reset and change the administrator password."}],"problemTypes":[{"descriptions":[{"cweId":"CWE-321","description":"CWE-321 Use of Hard-coded Cryptographic Key","lang":"en","type":"CWE"}]},{"descriptions":[{"cweId":"CWE-334","description":"CWE-334 Small Space of Random Values","lang":"en","type":"CWE"}]},{"descriptions":[{"cweId":"CWE-799","description":"CWE-799 Improper Control of Interaction Frequency","lang":"en","type":"CWE"}]}],"providerMetadata":{"orgId":"bbf0bd87-ece2-41be-b873-96928ee8fab9","shortName":"KoreLogic","dateUpdated":"2024-08-07T23:15:35.997Z"},"references":[{"tags":["third-party-advisory"],"url":"https://korelogic.com/Resources/Advisories/KL-001-2024-007.txt"}],"source":{"discovery":"UNKNOWN"},"title":"Journyx Unauthenticated Password Reset Bruteforce","x_generator":{"engine":"Vulnogram 0.2.0"}},"adp":[{"title":"CVE Program Container","references":[{"url":"http://seclists.org/fulldisclosure/2024/Aug/5"}],"providerMetadata":{"orgId":"af854a3a-2127-422b-91ae-364da2661108","shortName":"CVE","dateUpdated":"2024-08-08T01:29:14.179Z"}},{"affected":[{"vendor":"journyx","product":"journyx","cpes":["cpe:2.3:a:journyx:journyx:11.5.4:*:*:*:*:*:*:*"],"defaultStatus":"unknown","versions":[{"version":"11.5.4","status":"affected"}]}],"metrics":[{"cvssV3_1":{"scope":"UNCHANGED","version":"3.1","baseScore":9.8,"attackVector":"NETWORK","baseSeverity":"CRITICAL","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","integrityImpact":"HIGH","userInteraction":"NONE","attackComplexity":"LOW","availabilityImpact":"HIGH","privilegesRequired":"NONE","confidentialityImpact":"HIGH"}},{"other":{"type":"ssvc","content":{"timestamp":"2024-08-08T13:26:38.452163Z","id":"CVE-2024-6890","options":[{"Exploitation":"poc"},{"Automatable":"yes"},{"Technical Impact":"total"}],"role":"CISA Coordinator","version":"2.0.3"}}}],"title":"CISA ADP Vulnrichment","providerMetadata":{"orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP","dateUpdated":"2024-08-08T13:28:52.446Z"}}]}}