CVE-2016-10104 in Automize
Summary
by MITRE
Information Disclosure can occur in sshProfiles.jsd in Hitek Software's Automize because of the Read attribute being set for Users. This allows an attacker to recover encrypted passwords for SSH/SFTP profiles. Verified in all 10.x versions up to and including 10.25, and all 11.x versions up to and including 11.14.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 05/14/2026
The vulnerability described in CVE-2016-10104 represents a critical information disclosure flaw within Hitek Software's Automize application, specifically affecting the sshProfiles.jsd component. This security weakness stems from improper access control mechanisms that allow unauthorized users to read sensitive configuration data. The vulnerability exists in version 10.x up to 10.25 and 11.x up to 11.14, indicating a prolonged period of exposure without proper remediation. The flaw manifests when the Read attribute is improperly configured for user roles, creating an unintended pathway for attackers to access encrypted password credentials stored within SSH/SFTP profile configurations.
The technical implementation of this vulnerability involves the application's failure to enforce proper authentication and authorization checks when accessing sensitive profile data. When users with insufficient privileges attempt to access the sshProfiles.jsd component, they are able to retrieve encrypted password values that should be restricted to authorized administrative personnel only. This represents a direct violation of the principle of least privilege and demonstrates a fundamental flaw in the application's access control model. The vulnerability falls under CWE-284, which specifically addresses improper access control mechanisms, and aligns with ATT&CK technique T1552.001 for Unsecured Credentials and T1078 for Valid Accounts, as it exploits legitimate user access to extract sensitive information.
The operational impact of this vulnerability extends beyond simple information disclosure, as it provides attackers with the means to compromise entire SSH/SFTP infrastructure components. Once an attacker gains access to these encrypted passwords, they can potentially establish unauthorized remote access to systems managed by the Automize application. This creates a significant risk for organizations that rely on automated system management and orchestration tools, as the compromise of one user account could lead to widespread unauthorized access to network resources. The vulnerability particularly affects enterprise environments where automated task scheduling and remote system management are critical components of operational workflows.
Mitigation strategies for this vulnerability should focus on immediate access control remediation and configuration hardening. Organizations must ensure that proper role-based access controls are implemented for all sensitive application components, specifically disabling read access for non-administrative users to SSH/SFTP profile configurations. The application should be updated to the latest available version that contains patches addressing this access control flaw, and administrators should implement regular security assessments to identify similar configuration weaknesses. Additional protective measures include monitoring access logs for unauthorized attempts to read profile data, implementing network segmentation to limit exposure, and conducting comprehensive security training for administrators to prevent improper configuration of access controls. The vulnerability demonstrates the critical importance of proper privilege management and access control implementation in enterprise automation platforms, where the compromise of configuration data can lead to significant operational and security implications.