Hard-coded secrets in plain text format found in Kiuwan Local Analyzer JAR files
CVE-2023-49113

7.8HIGH

Key Information:

Vendor: Kiuwan
Status: Sast Local Analyzer
Vendor: CVE Published:; 20 June 2024

What is CVE-2023-49113?

The Kiuwan Local Analyzer exposes sensitive information through hard-coded secrets within its Java scanning application. Several credentials were discovered in the JAR files, including usernames and passwords for GitHub accounts stored in plain text format. The presence of these hard-coded secrets not only undermines the confidentiality of scan results but also poses a significant security risk. Specifically, the file 'InsightServicesConfig.properties' in the 'optimyth-insight.jar' JAR file contains pre-filled configuration tokens, while 'Encryptor.properties' holds the encryption key for scan results, further aggravating the exposure of sensitive data.

Affected Version(s)

SAST Local Analyzer <master.1808.p685.q13371

References

https://r.sec-consult.com/kiuwan

third-party-advisory

https://www.kiuwan.com/docs/display/K5/%5B2024-05-30%5D+C...

release-notes

CVSS V3.1

Score:

7.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Local

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 20, 2024
Vulnerability Reserved
Nov 22, 2023

Credit

Constantin Schwarz

Johannes Greil

CVE-2023-49113 Data

JSON