| Titre | Industrial Application Software - IAS Canias ERP 8.03-- Use of Hard-coded Cryptographic Key (CWE-321) |
|---|
| Description | A vulnerability was found in Industrial Application Software caniasERP 8.03 and classified as high. This vulnerability affects the crypto classes of the component Client JAR Files distributed via the JNLP deployment endpoint. The manipulation leads to use of hard-coded cryptographic keys. Multiple encryption keys are embedded as compile-time constants including AES-128, AES-256, Triple DES, DES-56 (cryptographically broken), Blowfish, and a server configuration file decryption key. The JAR files are downloadable without authentication over plain HTTP via the JNLP endpoint, exposing all keys to any network-level attacker. Combined with the FILETRANSFER vulnerability, these keys allow decryption of the server configuration file to obtain plaintext database credentials.
Discovered by Bilal Güneş (@b1lal) of HawkTrace. |
|---|
| Utilisateur | b1lal (UID 97312) |
|---|
| Soumission | 20/04/2026 18:13 (il y a 2 mois) |
|---|
| Modérer | 09/05/2026 18:33 (19 days later) |
|---|
| Statut | Accepté |
|---|
| Entrée VulDB | 362459 [Industrial Application Software IAS Canias ERP 8.03 JNLP Deployment Endpoint chiffrement faible] |
|---|
| Points | 17 |
|---|