PT-2020-12322 · Openitcockpit · Openitcockpit
Dejan Zelic
·
Published
2020-03-25
·
Updated
2021-07-21
·
CVE-2020-10788
CVSS v3.1
9.1
Critical
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N |
Name of the Vulnerable Software and Affected Versions
openITCOCKPIT versions prior to 3.7.3
Description
The issue arises from the use of a hardcoded API key, specifically
1fea123e07f730f76e661bced33a94152378611e, instead of generating a random API key for WebSocket connections. This could potentially allow unauthorized access.Recommendations
For versions prior to 3.7.3, update to version 3.7.3 or later to resolve the issue. As a temporary workaround, consider restricting access to WebSocket connections until the update can be applied.
Fix
Using Hardcoded Credentials
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Openitcockpit