EIQ-2018-0001



ID

EIQ-2018-0001

(Former ref.: 1801-01)

CVE

-

Description

Log in as each user by configured standard key

Date

-

Severity

3 - HIGH

CVSSv3 score

CVSSv3 score not available on NIST NVD.

Status

images/s/en_GB/7701/d7b403a44466e5e8970db7530201039d865e79e1/_/images/icons/emoticons/check.svg 2.3.0

Assessment

All EclecticIQ customers can download the same virtual machine with a preset secret key.

With this key an attacker can copy a valid long-lasting token with one random user ID.

The token is accepted by the EclecticIQ Platform application.

All requests can then be executed with the rights of the user for the user ID set.

Mitigation

Affected VMs have been removed from the download portal.

They were replaced with versions containing a unique key generated on starting the instance.

Affected versions

2.2.0 deployed as a virtual machine image.

Notes

EclecticIQ Platform installation documentation recommends changing the platform predefined secret key on installation.

If these instructions are followed, the configured environment is not affected by this finding.

< Back to all security issues and mitigation actions