CVE-2023-49113
📋 TL;DR
Kiuwan Local Analyzer contains hard-coded credentials and encryption keys in plain text within JAR files. This allows attackers to potentially decrypt scan results and access sensitive information. Affects Kiuwan SAST users with versions below master.1808.p685.q13371.
💻 Affected Systems
- Kiuwan SAST
- Kiuwan Local Analyzer
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Attackers decrypt all historical and future scan results, exposing proprietary source code, security vulnerabilities, and sensitive application data.
Likely Case
Unauthorized access to scan results containing source code analysis, potentially exposing intellectual property and security findings.
If Mitigated
Limited exposure if scan results contain minimal sensitive data or if network segmentation prevents access to the analyzer.
🎯 Exploit Status
Exploitation requires access to JAR files but involves simple extraction of plain text credentials and keys.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: master.1808.p685.q13371 or later
Vendor Advisory: https://www.kiuwan.com/docs/display/K5/%5B2024-05-30%5D+Change+Log
Restart Required: Yes
Instructions:
1. Update Kiuwan SAST to version master.1808.p685.q13371 or later. 2. Restart the Kiuwan Local Analyzer service. 3. Verify JAR files no longer contain hard-coded credentials.
🔧 Temporary Workarounds
Remove or secure JAR files
linuxRestrict access to lib.engine/insight/optimyth-insight.jar files to prevent credential extraction.
chmod 600 /path/to/optimyth-insight.jar
chown root:root /path/to/optimyth-insight.jar
Network segmentation
allIsolate Kiuwan Local Analyzer systems from untrusted networks and users.
🧯 If You Can't Patch
- Rotate any GitHub credentials that match the hard-coded values immediately.
- Audit systems for any extracted scan results and monitor for unauthorized access to sensitive data.
🔍 How to Verify
Check if Vulnerable:
Extract optimyth-insight.jar and check for InsightServicesConfig.properties and Encryptor.properties files containing plain text credentials.Check Version:
Check Kiuwan SAST version in administration interface or configuration files.Verify Fix Applied:
Verify updated JAR files no longer contain hard-coded credentials in the properties files mentioned.📡 Detection & Monitoring
Log Indicators:
- Unauthorized access attempts to GitHub using the hard-coded credentials
- Unexpected decryption or access to scan result files
Network Indicators:
- Outbound connections to GitHub API from Kiuwan systems using suspicious credentials
SIEM Query:
source="kiuwan" AND (event="credential_use" OR event="decryption")