CVE-2023-50346 in DRYiCE MyXalyticsinfo

Summary

by MITRE • 01/03/2024

HCL DRYiCE MyXalytics is impacted by an information disclosure vulnerability. Certain endpoints within the application disclose detailed file information.

If you want to get best quality of vulnerability data, you may have to visit VulDB.

Analysis

by VulDB Data Team • 06/18/2025

The vulnerability identified as CVE-2023-50346 affects HCL DRYiCE MyXalytics, a business intelligence and analytics platform that enables organizations to process and analyze large datasets for decision-making purposes. This information disclosure vulnerability represents a significant security risk as it allows unauthorized access to sensitive file metadata and system information that should remain protected. The affected application is commonly used in enterprise environments where data confidentiality and integrity are paramount considerations for information security programs.

The technical flaw manifests through specific endpoints within the MyXalytics application that inadvertently expose detailed file information to unauthorized users. This disclosure occurs without proper authentication or authorization checks, allowing attackers to retrieve metadata about files stored within the system including file paths, sizes, creation dates, and potentially file contents. The vulnerability falls under the category of improper access control as defined by CWE-284, where the system fails to properly restrict access to sensitive resources. The flaw likely stems from insufficient input validation and inadequate security controls in the API endpoints that handle file-related requests, creating an information exposure condition that violates the principle of least privilege.

The operational impact of this vulnerability extends beyond simple data leakage as it provides attackers with valuable reconnaissance information that can be leveraged for more sophisticated attacks. An attacker who exploits this vulnerability can gain insights into the organization's data structure, file naming conventions, and potentially sensitive business information contained within the analyzed datasets. This intelligence can be used to craft targeted attacks against specific files or directories, identify potential backup locations, or map out the overall data landscape for further exploitation. The vulnerability may also expose system configuration details that could aid in privilege escalation attempts or help attackers understand the underlying infrastructure architecture. According to ATT&CK framework, this vulnerability maps to T1083 (File and Directory Discovery) and T1552 (Unsecured Credentials) as it enables unauthorized access to system information and potentially sensitive data repositories.

Organizations utilizing HCL DRYiCE MyXalytics should implement immediate mitigations to address this information disclosure vulnerability. The primary recommendation involves implementing robust authentication and authorization controls on all file-related endpoints, ensuring that only authorized users can access file metadata and content. Security patches should be applied as soon as they become available from HCL, while organizations should also consider implementing network segmentation to limit access to the application and its endpoints. Additional defensive measures include enabling comprehensive logging and monitoring of file access attempts to detect unauthorized access patterns, implementing input validation controls to prevent malicious input from triggering information disclosure, and conducting regular security assessments to identify similar vulnerabilities within the application's architecture. The vulnerability highlights the importance of maintaining secure coding practices and proper access control mechanisms throughout the application lifecycle, particularly in business intelligence systems that handle sensitive organizational data.

Responsible

HCL Software

Reservation

12/07/2023

Disclosure

01/03/2024

Moderation

accepted

CPE

ready

EPSS

0.00314

KEV

no

Activities

very low

Sources

Interested in the pricing of exploits?

See the underground prices here!