CVE-2023-49113

Name of the Vulnerable Software and Affected Versions Kiuwan SAST: versions prior to the fixed version Kiuwan Local Analyzer (KLA) (affected versions not specified)

Description The Kiuwan Local Analyzer (KLA) Java scanning application contains several hard-coded secrets in plain text format, potentially compromising the confidentiality of scan results. Credentials were found in the JAR files, including insight.github.user and insight.github.password in the "InsightServicesConfig.properties" file, and an encryption key in the "es/als/security/Encryptor.properties" file. At least one specified username corresponds to a valid GitHub account.

Recommendations For Kiuwan SAST, update to a version that includes the fix for this issue. For Kiuwan Local Analyzer (KLA), consider removing or securely storing the hard-coded secrets, such as insight.github.user and insight.github.password, and the encryption key in the "es/als/security/Encryptor.properties" file, until a patch is available. As a temporary workaround, restrict access to the "lib.engine/insight/optimyth-insight.jar" file and its contents to minimize the risk of exploitation.