CVE
- Id
- 498
- CVE No.
- CVE-1999-0501
- Status
- Candidate
- Description
- A Unix account has a guessable password.
- Phase
- Proposed (19990714)
- Votes
- ACCEPT(3) Baker, Northcutt, Shostack | RECAST(2) Frech, Meunier | REVIEWING(1) Christey
- Comments
- Frech> Guessable falls into the class of CVE-1999-0502, since I can guess a | default, null, etc. password. | Suggest changing to something like "has an existing non-default password | that can be guessed." | I"m also including default passwords in this entry. | In that vein, we show the following references: | XF:user-password | XF:passwd-username | XF:default-unix-sync | XF:default-unix-4dgifts | XF:default-unix-bin | XF:default-unix-daemon | XF:default-unix-lp | XF:default-unix-me | XF:default-unix-nuucp | XF:default-unix-root | XF:default-unix-toor | XF:default-unix-tour | XF:default-unix-tty | XF:default-unix-uucp | Christey> This candidate is affected by the CD:CF-PASS content decision, | which determines the appropriate level of abstraction to | use for password problems. CD:CF-PASS needs to be accepted | by the Editorial Board before this candidate can be | converted into a CVE entry; the final version of CD:CF-PASS | may require using a different LOA than this candidate is | currently using. | CHANGE> [Meunier changed vote from ACCEPT to RECAST] | Meunier> This relates only to account password technology, so this candidate is | independent of the operating system, application, web site or other | application of this technology. The appropriate (natural) level of | abstraction is therefore without specifying that it is for UNIX. | Change the description to "An account has a guessable password other | than default, null, blank." This should satisfy Andre"s objection. | | This Candidate should be merged with any candidate relating to | account password technology where "Unix" in the original description | can be replaced by something else.
