Kiuwan SAST prior master.1808.p685.q13371 optimyth-insight.jar cleartext storage
| CVSS Meta Temp Score | Current Exploit Price (≈) | CTI Interest Score |
|---|---|---|
| 3.4 | $0-$5k | 0.00 |
Summary
A vulnerability, which was classified as problematic, was found in Kiuwan SAST. This vulnerability affects unknown code in the library lib.engine/insight/optimyth-insight.jar. The manipulation results in cleartext storage. This vulnerability is known as CVE-2023-49113. No exploit is available. You should upgrade the affected component.
Details
A vulnerability was found in Kiuwan SAST. It has been classified as problematic. Affected is some unknown functionality in the library lib.engine/insight/optimyth-insight.jar. The manipulation with an unknown input leads to a cleartext storage vulnerability. CWE is classifying the issue as CWE-312. The product stores sensitive information in cleartext within a resource that might be accessible to another control sphere. This is going to have an impact on confidentiality. CVE summarizes:
The Kiuwan Local Analyzer (KLA) Java scanning application contains several hard-coded secrets in plain text format. In some cases, this can potentially compromise the confidentiality of the scan results. Several credentials were found in the JAR files of the Kiuwan Local Analyzer. The JAR file "lib.engine/insight/optimyth-insight.jar" contains the file "InsightServicesConfig.properties", which has the configuration tokens "insight.github.user" as well as "insight.github.password" prefilled with credentials. At least the specified username corresponds to a valid GitHub account. The JAR file "lib.engine/insight/optimyth-insight.jar" also contains the file "es/als/security/Encryptor.properties", in which the key used for encrypting the results of any performed scan. This issue affects Kiuwan SAST: <master.1808.p685.q13371
The weakness was published by Constantin Schwarz. The advisory is available at r.sec-consult.com. This vulnerability is traded as CVE-2023-49113 since 11/22/2023. The exploitability is told to be easy. Technical details are known, but there is no available exploit. This vulnerability is assigned to T1555 by the MITRE ATT&CK project.
Upgrading to version master.1808.p685.q13371 eliminates this vulnerability.
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Product
Vendor
Name
CPE 2.3
CPE 2.2
CVSSv4
VulDB Vector: 🔍VulDB Reliability: 🔍
CVSSv3
VulDB Meta Base Score: 3.5VulDB Meta Temp Score: 3.4
VulDB Base Score: 3.5
VulDB Temp Score: 3.4
VulDB Vector: 🔍
VulDB Reliability: 🔍
CVSSv2
| AV | AC | Au | C | I | A |
|---|---|---|---|---|---|
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| Vector | Complexity | Authentication | Confidentiality | Integrity | Availability |
|---|---|---|---|---|---|
| Unlock | Unlock | Unlock | Unlock | Unlock | Unlock |
| Unlock | Unlock | Unlock | Unlock | Unlock | Unlock |
| Unlock | Unlock | Unlock | Unlock | Unlock | Unlock |
VulDB Base Score: 🔍
VulDB Temp Score: 🔍
VulDB Reliability: 🔍
Exploiting
Class: Cleartext storageCWE: CWE-312 / CWE-310
CAPEC: 🔍
ATT&CK: 🔍
Physical: No
Local: No
Remote: Partially
Availability: 🔍
Status: Not defined
EPSS Score: 🔍
EPSS Percentile: 🔍
Price Prediction: 🔍
Current Price Estimation: 🔍
| 0-Day | Unlock | Unlock | Unlock | Unlock |
|---|---|---|---|---|
| Today | Unlock | Unlock | Unlock | Unlock |
Threat Intelligence
Interest: 🔍Active Actors: 🔍
Active APT Groups: 🔍
Countermeasures
Recommended: UpgradeStatus: 🔍
0-Day Time: 🔍
Upgrade: SAST master.1808.p685.q13371
Timeline
11/22/2023 🔍06/20/2024 🔍
06/20/2024 🔍
06/21/2024 🔍
Sources
Advisory: r.sec-consult.comResearcher: Constantin Schwarz
Status: Confirmed
CVE: CVE-2023-49113 (🔍)
GCVE (CVE): GCVE-0-2023-49113
GCVE (VulDB): GCVE-100-269250
Entry
Created: 06/20/2024 16:31Updated: 06/21/2024 15:53
Changes: 06/20/2024 16:31 (54), 06/21/2024 15:53 (1)
Complete: 🔍
Cache ID: 216::103
If you want to get best quality of vulnerability data, you may have to visit VulDB.
No comments yet. Languages: en.
Please log in to comment.