CVE-2023-39903
CVE-2023-39903 is a medium-severity vulnerability in Fujitsu Software Infrastructure Manager with a CVSS 3.x base score of 5.9. It is not currently listed as actively exploited by CISA, and its EPSS exploit-prediction score is low. The underlying weakness is classified as CWE-312.
Key facts
- Severity: Medium (CVSS 3.x base score 5.9)
- EPSS exploit prediction: 0% (3rd percentile)
- Actively exploited: Not listed in CISA KEV
- Weakness: CWE-312
- Affected product: Fujitsu Software Infrastructure Manager
- Published:
- Last modified:
Description
An issue was discovered in Fujitsu Software Infrastructure Manager (ISM) before 2.8.0.061. The ismsnap component (in this specific case at /var/log/fujitsu/ServerViewSuite/ism/FirmwareManagement/FirmwareManagement.log) allows insecure collection and storage of authorization credentials in cleartext. That occurs when users perform any ISM Firmware Repository Address setup test (Test the Connection), or regularly authorize against an already configured remote firmware repository site, as set up in ISM Firmware Repository Address. A privileged attacker is therefore able to potentially gather the associated ismsnap maintenance data, in the same manner as a trusted party allowed to export ismsnap data from ISM. The preconditions for an ISM installation to be generally vulnerable are that the Download Firmware (Firmware Repository Server) function is enabled and configured, and that the character \ (backslash) is used in a user credential (i.e., user/ID or password) of the remote proxy host / firmware repository server. NOTE: this may overlap CVE-2023-39379.
Frequently asked questions
- What is CVE-2023-39903?
- An issue was discovered in Fujitsu Software Infrastructure Manager (ISM) before 2.8.0.061. The ismsnap component (in this specific case at /var/log/fujitsu/ServerViewSuite/ism/FirmwareManagement/FirmwareManagement.log) allows insecure collection and storage of authorization credentials in cleartext. That occurs when users perform any ISM Firmware Repository Address setup test (Test the Connection), or regularly authorize against an already configured remote firmware repository site, as set up in ISM Firmware Repository Address. A privileged attacker is therefore able to potentially gather the associated ismsnap maintenance data, in the same manner as a trusted party allowed to export ismsnap data from ISM. The preconditions for an ISM installation to be generally vulnerable are that the Download Firmware (Firmware Repository Server) function is enabled and configured, and that the character \ (backslash) is used in a user credential (i.e., user/ID or password) of the remote proxy host / firmware repository server. NOTE: this may overlap CVE-2023-39379.
- How severe is CVE-2023-39903?
- CVE-2023-39903 has a CVSS 3.x base score of 5.9, rated medium severity. It is exploitable over local access with low attack complexity, requires low privileges and user interaction. Impact on confidentiality is high, integrity none, and availability none.
- Is CVE-2023-39903 being actively exploited?
- It is not currently listed in CISA's KEV catalog. Its EPSS exploit-prediction score is 0% (3rd percentile), an estimate of the probability of exploitation in the next 30 days.
- What products are affected by CVE-2023-39903?
- CVE-2023-39903 affects Fujitsu Software Infrastructure Manager. See the affected-products list for the exact vulnerable versions.
- How do I fix CVE-2023-39903?
- Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround.
- When was CVE-2023-39903 published?
- CVE-2023-39903 was published on 2023-08-07 and last updated on 2026-06-17.
References
- https://security.ts.fujitsu.com/IndexDownload.asp?SoftwareGuid=a0131919-6d84-43b4-800e-d7f78200a70f
- https://security.ts.fujitsu.com/ProductSecurity/content/Fujitsu-PSIRT-ISS-IS-2023-071410-Security-Notice.pdf
Affected products (1)
- cpe:2.3:a:fujitsu:software_infrastructure_manager:*:*:*:*:*:*:*:*
More vulnerabilities in Fujitsu Software Infrastructure Manager
- CVE-2023-39379 — High (CVSS 7.5): Fujitsu Software Infrastructure Manager (ISM) stores sensitive information at the product's maintenance data (ismsnap)…
All CVEs affecting Fujitsu Software Infrastructure Manager →
Other CWE-312 (Cleartext Storage of Sensitive Information) vulnerabilities
- CVE-2022-43757 — Critical (CVSS 9.9): A Cleartext Storage of Sensitive Information vulnerability in SUSE Rancher allows users on managed clusters to gain…
- CVE-2021-36782 — Critical (CVSS 9.9): A Cleartext Storage of Sensitive Information vulnerability in SUSE Rancher allows authenticated Cluster Owners, Cluster…
- CVE-2020-9045 — Critical (CVSS 9.9): During installation or upgrade to Software House C•CURE 9000 v2.70 and American Dynamics victor Video Management…
- CVE-2026-31848 — Critical (CVSS 9.8): Nexxt Solutions Nebula 300+ firmware through version 12.01.01.37 uses the ecos_pw cookie for authentication, which…
- CVE-2025-65826 — Critical (CVSS 9.8): The mobile application was found to contain stored credentials for the network it was developed on. If an attacker…
- CVE-2025-34206 — Critical (CVSS 9.8): Vasion Print (formerly PrinterLogic) Virtual Appliance Host and Application (VA and SaaS deployments) mount host…
Browse all CWE-312 (Cleartext Storage of Sensitive Information) vulnerabilities →