CVE-2019-6122

A Username Enumeration via Error Message issue was discovered in NiceHash Miner before 2.0.3.0 because an "EMAIL DOES NOT EXIST" error message occurs whenever a submitted email address is incorrect, but there is a different error message for invalid credentials with a correct email address.

CVSS v3 3.1 LOW
CVSS v2.0 4.3 MEDIUM

3.1^/10

CVSS v3 : LOW

Vector :

Exploitability : 1.6 / Impact : 1.4

Attack Vector NETWORK

Attack Complexity HIGH

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact LOW

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

4.3^/10

CVSS v2.0 : MEDIUM

Vector : AV:N/AC:M/Au:N/C:P/I:N/A:N

Exploitability : 8.6 / Impact : 2.9

Access Vector NETWORK

Access Complexity MEDIUM

Authentication NONE

Confidentiality Impact PARTIAL

Integrity Impact NONE

Availability Impact NONE

References

Link	Resource
https://cyberworldmirror.com/nicehash-vulnerability-leaked-miners-information/	Exploit Third Party Advisory
https://docs.google.com/document/d/1OubhuTRzuTMnkZ9SCFb8BtJVbTu840wDxyWu3VWHwvs/edit	Exploit Third Party Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:nicehash:miner:*:*:*:*:*:*:*:*

History

No history.

Information

Published : 2019-11-06 18:15

Updated : 2020-08-24 17:37

NVD link : CVE-2019-6122

Mitre link : CVE-2019-6122

CVE.ORG link : CVE-2019-6122

JSON object : View

Products Affected

nicehash

miner

CWE

CWE-209

Generation of Error Message Containing Sensitive Information

{"id": "CVE-2019-6122", "cveTags": [], "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 4.3, "accessVector": "NETWORK", "vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N", "authentication": "NONE", "integrityImpact": "NONE", "accessComplexity": "MEDIUM", "availabilityImpact": "NONE", "confidentialityImpact": "PARTIAL"}, "acInsufInfo": false, "impactScore": 2.9, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 8.6, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 3.1, "attackVector": "NETWORK", "baseSeverity": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "REQUIRED", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "impactScore": 1.4, "exploitabilityScore": 1.6}]}, "published": "2019-11-06T18:15:10.430", "references": [{"url": "https://cyberworldmirror.com/nicehash-vulnerability-leaked-miners-information/", "tags": ["Exploit", "Third Party Advisory"], "source": "cve@mitre.org"}, {"url": "https://docs.google.com/document/d/1OubhuTRzuTMnkZ9SCFb8BtJVbTu840wDxyWu3VWHwvs/edit", "tags": ["Exploit", "Third Party Advisory"], "source": "cve@mitre.org"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-209"}]}], "descriptions": [{"lang": "en", "value": "A Username Enumeration via Error Message issue was discovered in NiceHash Miner before 2.0.3.0 because an \"EMAIL DOES NOT EXIST\" error message occurs whenever a submitted email address is incorrect, but there is a different error message for invalid credentials with a correct email address."}, {"lang": "es", "value": "Se descubri\u00f3 un problema de Enumeraci\u00f3n de Nombre de Usuario mediante un Mensaje de Error en NiceHash Miner versiones anteriores a la versi\u00f3n 2.0.3.0, porque ocurre un mensaje de error \"EMAIL DOES NOT EXIST\" cada vez que una direcci\u00f3n de correo electr\u00f3nico enviada es incorrecta, pero existe un mensaje de error diferente para credenciales no v\u00e1lidas con una direcci\u00f3n de correo electr\u00f3nico correcta."}], "lastModified": "2020-08-24T17:37:01.140", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:nicehash:miner:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "5B26E244-565A-4DE5-BB26-D95A530D69E2", "versionEndExcluding": "2.0.3.0"}], "operator": "OR"}]}], "sourceIdentifier": "cve@mitre.org"}