CVE-2023-49112 in SAST
Summary
by MITRE • 06/20/2024
Kiuwan provides an API endpoint
/saas/rest/v1/info/application
to get information about any application, providing only its name via the "application" parameter. This endpoint lacks proper access control mechanisms, allowing other authenticated users to read information about applications, even though they have not been granted the necessary rights to do so.
This issue affects Kiuwan SAST: <master.1808.p685.q13371
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 06/21/2024
The vulnerability identified as CVE-2023-49112 represents a critical access control flaw within Kiuwan SAST's REST API implementation. This security weakness exists in the /saas/rest/v1/info/application endpoint which is designed to retrieve application information based solely on the application name parameter. The flaw stems from inadequate authorization checks that fail to verify whether authenticated users possess the appropriate permissions to access specific application data. This represents a direct violation of the principle of least privilege and demonstrates a fundamental failure in the application's access control architecture.
The technical nature of this vulnerability places it squarely within CWE-285, which addresses improper authorization issues in software systems. The flaw allows for unauthorized information disclosure where any authenticated user can enumerate and access application metadata belonging to other users or projects they should not have visibility into. This endpoint operates without proper role-based access controls or permission verification mechanisms, creating a pathway for privilege escalation through information gathering. The vulnerability specifically affects Kiuwan SAST version master.1808.p685.q13371 and likely impacts the broader SAST platform's security posture by enabling attackers to discover sensitive project information and potentially identify targets for further exploitation.
From an operational impact perspective, this vulnerability creates significant risks for organizations using Kiuwan SAST for software security analysis. Attackers who gain access to the system through other means can leverage this flaw to map out the complete application landscape within the organization's SAST environment. This information disclosure can reveal project names, application dependencies, and potentially sensitive business logic that could be used in subsequent attacks. The vulnerability aligns with ATT&CK technique T1087.001 for account discovery and T1528 for applications and systems information gathering, making it particularly dangerous in environments where multiple teams or projects share the same SAST platform. The impact extends beyond simple information disclosure as it enables attackers to identify which applications are under security analysis and potentially focus their efforts on high-value targets.
The mitigation strategy for CVE-2023-49112 requires immediate implementation of proper access control mechanisms within the affected API endpoint. Organizations should implement role-based access controls that verify user permissions before granting access to application information, ensuring that users can only view applications they have been explicitly authorized to access. The fix should incorporate authentication checks that validate user roles and permissions against the requested application resource. Additionally, implementing audit logging for API access attempts will help detect unauthorized access patterns and provide forensic evidence of potential exploitation attempts. Security teams should also review all other API endpoints within the Kiuwan SAST platform for similar access control vulnerabilities and ensure that proper authorization mechanisms are in place across the entire application interface. The remediation process should follow established security frameworks such as NIST SP 800-53 controls for access control and information flow protection to ensure comprehensive coverage of the identified weakness.