漏洞标题
在Kiuwan SAST本地分析器中未安全存储敏感数据
漏洞描述信息
Kiwan本地分析器(KLA)Java扫描应用中包含几种以明文格式硬编码的秘密。在某些情况下,这可能泄露扫描结果的机密性。在Kiwan本地分析器的JAR文件中发现了一些凭证。
名为“lib.engine/insight/optimyth-insight.jar”的JAR文件中包含名为“InsightServicesConfig.properties”的文件,其中预填了配置令牌“insight.github.user”以及“insight.github.password”的凭据。至少指定的用户名对应于有效的GitHub帐户。
名为“lib.engine/insight/optimyth-insight.jar”的JAR文件中还包含名为“es/als/security/Encryptor.properties”的文件,其中包含用于加密任何执行的扫描结果的密钥。
此问题影响Kiwan SAST:<master.1808.p685.q13371
CVSS信息
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
漏洞类别
使用硬编码的凭证
漏洞标题
Sensitive Data Stored Insecurely in Kiuwan SAST Local Analyzer
漏洞描述信息
The Kiuwan Local Analyzer (KLA) Java scanning application contains several
hard-coded secrets in plain text format. In some cases, this can
potentially compromise the confidentiality of the scan results. Several credentials were found in the JAR files of the Kiuwan Local Analyzer.
The
JAR file "lib.engine/insight/optimyth-insight.jar" contains the file
"InsightServicesConfig.properties", which has the configuration tokens
"insight.github.user" as well as "insight.github.password" prefilled
with credentials. At least the specified username corresponds to a valid
GitHub account. The
JAR file "lib.engine/insight/optimyth-insight.jar" also contains the
file "es/als/security/Encryptor.properties", in which the key used for
encrypting the results of any performed scan.
This issue affects Kiuwan SAST: <master.1808.p685.q13371
CVSS信息
N/A
漏洞类别
敏感数据的明文存储
漏洞标题
Kiuwan SAST 跨站脚本漏洞
漏洞描述信息
Kiuwan是一个功能强大的端到端应用程序安全平台。 Kiuwan SAST 2.8.2402.3之前版本存在跨站脚本漏洞,该漏洞源于可以在登录页面上执行未经身份验证的反射型跨站脚本(XSS)攻击。
CVSS信息
N/A
漏洞类别
跨站脚本