CVE-2024-33891

Name of the Vulnerable Software and Affected Versions Delinea Secret Server versions prior to 11.7.000001

Description The issue is related to the use of a hardcoded key for encryption in the Delinea Secret Server, allowing a remote attacker to bypass the authentication procedure. This can be achieved via the SOAP API, specifically through the endpoint "SecretServer/webservices/SSWebService.asmx". The vulnerability is also related to the use of the integer 2 for the Admin user and the removal of the oauthExpirationId attribute.

Recommendations For versions prior to 11.7.000001, update to version 11.7.000001 or later to resolve the issue. As a temporary workaround, consider restricting access to the SOAP API endpoint "SecretServer/webservices/SSWebService.asmx" until a patch is applied. Avoid using the hardcoded key for encryption until the issue is resolved.