CVE-2023-28937

Name of the Vulnerable Software and Affected Versions DataSpider Servista versions 4.4 and earlier

Description The issue concerns the use of a hard-coded cryptographic key in DataSpider Servista, which is data integration software. This key is embedded in ScriptRunner and ScriptRunner for Amazon SQS, tools used to start configured processes on DataSpider Servista. The key is common to all users, and if an attacker gains access to a target DataSpider Servista instance and obtains a Launch Settings file of ScriptRunner and/or ScriptRunner for Amazon SQS, they may perform operations with the user privilege encrypted in the file. DataSpider Servista and some of its OEM products are affected.

Recommendations For DataSpider Servista versions 4.4 and earlier, consider disabling the use of ScriptRunner and ScriptRunner for Amazon SQS until a patch or fix is available to avoid potential exploitation. Restrict access to Launch Settings files of these tools to minimize the risk of attackers obtaining sensitive information. At the moment, there is no information about a newer version that contains a fix for this vulnerability.