Fleet
CVE-2019-1020009
HIGH
Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Lifecycle Timeline
1DescriptionNVD
Fleet before 2.1.2 allows exposure of SMTP credentials.
AnalysisAI
Fleet before 2.1.2 allows exposure of SMTP credentials. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Technical ContextAI
This vulnerability is classified as Insufficiently Protected Credentials (CWE-522), which allows attackers to obtain user credentials due to weak protection mechanisms. Affected products include: Kolide Fleet. Version information: before 2.1.2.
RemediationAI
No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Hash passwords with strong algorithms (bcrypt, argon2), encrypt credentials in transit and at rest, never log credentials.
Fleet device management software has a signature verification bypass that allows attackers to install malicious firmware
Fleet is an open source osquery manager. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable,
SQL injection in Fleet device management software before version 4.80.1 allows authenticated users to manipulate the ord
Fleet device management software versions prior to 4.78.3 suffer from broken access control that permits any authenticat
fleetdm/fleet is an open source device management, built on osquery. Rated high severity (CVSS 8.1), this vulnerability
Fleet versions up to 4.80.1 contains a vulnerability that allows attackers to unauthorized access to Google Calendar res
Fleet device management software versions before 4.80.1 contain an authorization bypass in the certificate template dele
Fleet's device lock and wipe PIN generation relies on predictable timestamps without additional entropy, allowing attack
fleetdm/fleet is open source device management software. [CVSS 5.4 MEDIUM]
Fleet's Android MDM Pub/Sub endpoint fails to authenticate requests prior to version 4.80.1, allowing unauthenticated at
Fleet is an open source osquery manager. Rated low severity (CVSS 2.7), this vulnerability is remotely exploitable, low
Same weakness CWE-522 – Insufficiently Protected Credentials
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today