CVE-2022-35413

Name of the Vulnerable Software and Affected Versions WAPPLES versions through 6.0

Description A threat actor could use a hardcoded systemi account to access the system configuration and confidential information, such as SSL keys, via an HTTPS request to the "/webapi/" URI on port 443 or 5001. The account is accessible via db/wp.no1, as configured in the /opt/penta/wapples/script/wcc auto scaling.py file.

Recommendations For WAPPLES versions through 6.0, consider disabling access to the hardcoded systemi account until a patch is available. Restrict access to the /webapi/ URI on port 443 or 5001 to minimize the risk of exploitation. Avoid using the db/wp.no1 configuration to access the system configuration and confidential information until the issue is resolved.