CVE-2019-13033

Name of the Vulnerable Software and Affected Versions: CISOfy Lynis versions 2.x through 2.7.5

Description: The issue allows an attacker to obtain the license key by examining the process list during a data upload. This license key can then be used to upload data to a central Lynis server, potentially allowing the upload of additional scan data. However, it is noted that knowing the license key does not enable data extraction.

Recommendations: For CISOfy Lynis versions 2.x through 2.7.5, consider restricting access to the process list during data uploads to minimize the risk of the license key being obtained. As a temporary workaround, restrict the ability to upload data to the central Lynis server until a patch is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.