EIQ-2018-0001
ID |
EIQ-2018-0001 (Former ref.: 1801-01) |
CVE |
- |
Description |
Log in as each user by configured standard key |
Date |
- |
Severity |
3 - HIGH |
CVSSv3 score |
CVSSv3 score not available on NIST NVD. |
Status |
2.3.0 |
Assessment |
All EclecticIQ customers can download the same virtual machine with a preset secret key. With this key an attacker can copy a valid long-lasting token with one random user ID. The token is accepted by the EclecticIQ Platform application. All requests can then be executed with the rights of the user for the user ID set. |
Mitigation |
Affected VMs have been removed from the download portal. They were replaced with versions containing a unique key generated on starting the instance. |
Affected versions |
2.2.0 deployed as a virtual machine image. |
Notes |
EclecticIQ Platform installation documentation recommends changing the platform predefined secret key on installation. If these instructions are followed, the configured environment is not affected by this finding. |