CVE-2023-4588

Name of the Vulnerable Software and Affected Versions Delinea Secret Server versions 10.9.000002 through 11.4.000002

Description The issue allows an authenticated user with administrative privileges to create a backup file in the application's webroot directory by changing the default backup directory to the wwwroot folder. This enables the user to download the backup file along with certain configuration files, including encryption.config and database.config, which are stored in the wwwroot directory. As a result, database credentials are exposed in plain text.

Recommendations For versions 10.9.000002 and 11.4.000002, consider restricting access to the backup functionality and the wwwroot directory to prevent unauthorized downloads of sensitive configuration files. Additionally, as a temporary workaround, consider disabling the ability to change the default backup directory to the wwwroot folder until a patch is available.