CVE-2023-50346 in DRYiCE MyXalytics
Summary
by MITRE • 01/03/2024
HCL DRYiCE MyXalytics is impacted by an information disclosure vulnerability. Certain endpoints within the application disclose detailed file information.
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 06/18/2025
The vulnerability identified as CVE-2023-50346 affects HCL DRYiCE MyXalytics, a business intelligence and analytics platform that enables organizations to process and analyze large datasets for decision-making purposes. This information disclosure vulnerability represents a significant security risk as it allows unauthorized access to sensitive file metadata and system information that should remain protected. The affected application is commonly used in enterprise environments where data confidentiality and integrity are paramount considerations for information security programs.
The technical flaw manifests through specific endpoints within the MyXalytics application that inadvertently expose detailed file information to unauthorized users. This disclosure occurs without proper authentication or authorization checks, allowing attackers to retrieve metadata about files stored within the system including file paths, sizes, creation dates, and potentially file contents. The vulnerability falls under the category of improper access control as defined by CWE-284, where the system fails to properly restrict access to sensitive resources. The flaw likely stems from insufficient input validation and inadequate security controls in the API endpoints that handle file-related requests, creating an information exposure condition that violates the principle of least privilege.
The operational impact of this vulnerability extends beyond simple data leakage as it provides attackers with valuable reconnaissance information that can be leveraged for more sophisticated attacks. An attacker who exploits this vulnerability can gain insights into the organization's data structure, file naming conventions, and potentially sensitive business information contained within the analyzed datasets. This intelligence can be used to craft targeted attacks against specific files or directories, identify potential backup locations, or map out the overall data landscape for further exploitation. The vulnerability may also expose system configuration details that could aid in privilege escalation attempts or help attackers understand the underlying infrastructure architecture. According to ATT&CK framework, this vulnerability maps to T1083 (File and Directory Discovery) and T1552 (Unsecured Credentials) as it enables unauthorized access to system information and potentially sensitive data repositories.
Organizations utilizing HCL DRYiCE MyXalytics should implement immediate mitigations to address this information disclosure vulnerability. The primary recommendation involves implementing robust authentication and authorization controls on all file-related endpoints, ensuring that only authorized users can access file metadata and content. Security patches should be applied as soon as they become available from HCL, while organizations should also consider implementing network segmentation to limit access to the application and its endpoints. Additional defensive measures include enabling comprehensive logging and monitoring of file access attempts to detect unauthorized access patterns, implementing input validation controls to prevent malicious input from triggering information disclosure, and conducting regular security assessments to identify similar vulnerabilities within the application's architecture. The vulnerability highlights the importance of maintaining secure coding practices and proper access control mechanisms throughout the application lifecycle, particularly in business intelligence systems that handle sensitive organizational data.