CVE-2023-28937

DataSpider Servista version 4.4 and earlier uses a hard-coded cryptographic key. DataSpider Servista is data integration software. ScriptRunner and ScriptRunner for Amazon SQS are used to start the configured processes on DataSpider Servista. The cryptographic key is embedded in ScriptRunner and ScriptRunner for Amazon SQS, which is common to all users. If an attacker who can gain access to a target DataSpider Servista instance and obtain a Launch Settings file of ScriptRunner and/or ScriptRunner for Amazon SQS, the attacker may perform operations with the user privilege encrypted in the file. Note that DataSpider Servista and some of the OEM products are affected by this vulnerability. For the details of affected products and versions, refer to the information listed in [References].
Configurations

Configuration 1 (hide)

OR cpe:2.3:a:saison:dataspider_servista:*:*:*:*:*:*:*:*
cpe:2.3:a:saison:dataspider_servista:4.3:-:*:*:*:*:*:*
cpe:2.3:a:saison:dataspider_servista:4.4:-:*:*:*:*:*:*

History

13 Jun 2023, 10:15

Type Values Removed Values Added
References
  • (MISC) https://cs.wingarc.com/ja/download/000023565 -
  • (MISC) https://cs.wingarc.com/ja/download/000016244 -
  • (MISC) https://www.hulft.com/application/files/4416/8420/4506/information_20230519_2_en.pdf -
  • (MISC) https://www.justsystems.com/jp/services/actionista/info/20230519_001/ -
  • (MISC) https://cs.wingarc.com/ja/download/000022448 -
  • (MISC) https://www.terrasky.co.jp/files/DCSpider_ScriptRunnerVulnerability.pdf -
Summary DataSpider Servista version 4.4 and earlier uses a hard-coded cryptographic key. DataSpider Servista is data integration software. ScriptRunner and ScriptRunner for Amazon SQS are used to start the configured processes on DataSpider Servista. The cryptographic key is embedded in ScriptRunner and ScriptRunner for Amazon SQS, which is common to all users. If an attacker who can gain access to a target DataSpider Servista instance and obtain a Launch Settings file of ScriptRunner and/or ScriptRunner for Amazon SQS, the attacker may perform operations with the user privilege encrypted in the file. DataSpider Servista version 4.4 and earlier uses a hard-coded cryptographic key. DataSpider Servista is data integration software. ScriptRunner and ScriptRunner for Amazon SQS are used to start the configured processes on DataSpider Servista. The cryptographic key is embedded in ScriptRunner and ScriptRunner for Amazon SQS, which is common to all users. If an attacker who can gain access to a target DataSpider Servista instance and obtain a Launch Settings file of ScriptRunner and/or ScriptRunner for Amazon SQS, the attacker may perform operations with the user privilege encrypted in the file. Note that DataSpider Servista and some of the OEM products are affected by this vulnerability. For the details of affected products and versions, refer to the information listed in [References].

08 Jun 2023, 13:45

Type Values Removed Values Added
References (MISC) https://www.hulft.com/download_file/18675 - (MISC) https://www.hulft.com/download_file/18675 - Product
References (MISC) https://jvn.jp/en/jp/JVN38222042/ - (MISC) https://jvn.jp/en/jp/JVN38222042/ - Third Party Advisory
CVSS v2 : unknown
v3 : unknown
v2 : unknown
v3 : 8.8
CPE cpe:2.3:a:saison:dataspider_servista:4.3:-:*:*:*:*:*:*
cpe:2.3:a:saison:dataspider_servista:*:*:*:*:*:*:*:*
cpe:2.3:a:saison:dataspider_servista:4.4:-:*:*:*:*:*:*
CWE CWE-798
First Time Saison
Saison dataspider Servista

01 Jun 2023, 02:15

Type Values Removed Values Added
New CVE

Information

Published : 2023-06-01 02:15

Updated : 2024-02-28 20:13


NVD link : CVE-2023-28937

Mitre link : CVE-2023-28937

CVE.ORG link : CVE-2023-28937


JSON object : View

Products Affected

saison

  • dataspider_servista
CWE
CWE-798

Use of Hard-coded Credentials