All the vulnerabilites related to TopQuadrant - TopBraid EDG
cve-2024-45744
Vulnerability from cvelistv5
Published
2024-09-27 15:56
Modified
2024-09-27 17:44
Severity ?
EPSS score ?
Summary
TopQuadrant TopBraid EDG stores external credentials insecurely. An authenticated attacker with file system access can read edg-setup.properites and obtain the secret to decrypt external passwords stored in edg-vault.properties. An authenticated attacker could gain file system access using a separate vulnerability such as CVE-2024-45745. At least version 7.1.3 is affected. Version 7.3 adds HashiCorp Vault integration that does not store external passwords locally.
References
Impacted products
Vendor | Product | Version | |
---|---|---|---|
▼ | TopQuadrant | TopBraid EDG |
Version: 7.1.3 cpe:2.3:a:topquadrant:topbraid_edg:*:*:*:*:*:*:*:* |
|
{ "containers": { "adp": [ { "metrics": [ { "other": { "content": { "id": "CVE-2024-45744", "options": [ { "Exploitation": "none" }, { "Automatable": "no" }, { "Technical Impact": "partial" } ], "role": "CISA Coordinator", "timestamp": "2024-09-27T17:44:24.546908Z", "version": "2.0.3" }, "type": "ssvc" } } ], "providerMetadata": { "dateUpdated": "2024-09-27T17:44:33.233Z", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP" }, "title": "CISA ADP Vulnrichment" } ], "cna": { "affected": [ { "cpes": [ "cpe:2.3:a:topquadrant:topbraid_edg:*:*:*:*:*:*:*:*" ], "defaultStatus": "unknown", "product": "TopBraid EDG", "vendor": "TopQuadrant", "versions": [ { "status": "affected", "version": "7.1.3" } ] } ], "datePublic": "2024-09-10T00:00:00.000Z", "descriptions": [ { "lang": "en", "supportingMedia": [ { "base64": false, "type": "text/html", "value": "\u003cp\u003eTopQuadrant TopBraid EDG stores external credentials insecurely. An authenticated attacker with file system access can read edg-setup.properites and obtain the secret to decrypt external passwords stored in edg-vault.properties. An authenticated attacker could gain file system access using a separate vulnerability such as CVE-2024-45745.\u0026nbsp;\u003cspan style=\"background-color: var(--wht);\"\u003eAt least version 7.1.3 is affected. Version 7.3 adds HashiCorp Vault integration that does not store external passwords locally.\u003c/span\u003e\u003c/p\u003e" } ], "value": "TopQuadrant TopBraid EDG stores external credentials insecurely. An authenticated attacker with file system access can read edg-setup.properites and obtain the secret to decrypt external passwords stored in edg-vault.properties. An authenticated attacker could gain file system access using a separate vulnerability such as CVE-2024-45745.\u00a0At least version 7.1.3 is affected. Version 7.3 adds HashiCorp Vault integration that does not store external passwords locally." } ], "metrics": [ { "cvssV3_1": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 3, "baseSeverity": "LOW", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:N/A:N", "version": "3.1" }, "format": "CVSS", "scenarios": [ { "lang": "en", "value": "GENERAL" } ] }, { "other": { "content": { "id": "CVE-2024-45744", "options": [ { "Exploitation": "none" }, { "Automatable": "yes" }, { "Technical Impact": "partial" } ], "role": "CISA Coordinator", "timestamp": "2024-06-25T14:34:53.587598Z", "version": "2.0.3" }, "type": "ssvc" } } ], "problemTypes": [ { "descriptions": [ { "cweId": "CWE-257", "description": "CWE-257 Storing Passwords in a Recoverable Format", "lang": "en", "type": "CWE" } ] } ], "providerMetadata": { "dateUpdated": "2024-09-27T16:37:26.351Z", "orgId": "9119a7d8-5eab-497f-8521-727c672e3725", "shortName": "cisa-cg" }, "references": [ { "name": "url", "url": "https://raw.githubusercontent.com/cisagov/CSAF/develop/csaf_files/IT/white/2024/va-24-254-02.json" }, { "name": "url", "url": "https://www.topquadrant.com/doc/latest/reference/PasswordManagementAdminPage.html" }, { "name": "url", "url": "https://www.topquadrant.com/doc/latest/administrator_guide/edg_installation_and_authentication/hashicorp_integration.html" }, { "name": "url", "url": "https://www.topquadrant.com/release-note/7-3/" } ], "source": { "discovery": "UNKNOWN" }, "title": "TopQuadrant TopBraid EDG password manager stores external credentials insecurely", "x_generator": { "engine": "Vulnogram 0.2.0" } } }, "cveMetadata": { "assignerOrgId": "9119a7d8-5eab-497f-8521-727c672e3725", "assignerShortName": "cisa-cg", "cveId": "CVE-2024-45744", "datePublished": "2024-09-27T15:56:11.980Z", "dateReserved": "2024-09-05T23:12:56.519Z", "dateUpdated": "2024-09-27T17:44:33.233Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2024-45745
Vulnerability from cvelistv5
Published
2024-09-27 15:57
Modified
2024-09-27 17:43
Severity ?
EPSS score ?
Summary
TopQuadrant TopBraid EDG before version 8.0.1 allows an authenticated attacker to upload an XML DTD file and execute JavaScript to read local files or access URLs (XXE). Fixed in 8.0.1 (bug fix: TBS-6721).
References
Impacted products
Vendor | Product | Version | |
---|---|---|---|
▼ | TopQuadrant | TopBraid EDG |
Version: 0 < 8.0.1 |
|
{ "containers": { "adp": [ { "metrics": [ { "other": { "content": { "id": "CVE-2024-45745", "options": [ { "Exploitation": "none" }, { "Automatable": "no" }, { "Technical Impact": "partial" } ], "role": "CISA Coordinator", "timestamp": "2024-09-27T17:43:16.632957Z", "version": "2.0.3" }, "type": "ssvc" } } ], "providerMetadata": { "dateUpdated": "2024-09-27T17:43:27.032Z", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP" }, "title": "CISA ADP Vulnrichment" } ], "cna": { "affected": [ { "defaultStatus": "unknown", "product": "TopBraid EDG", "vendor": "TopQuadrant", "versions": [ { "lessThan": "8.0.1", "status": "affected", "version": "0", "versionType": "custom" }, { "status": "unaffected", "version": "8.0.1" } ] } ], "datePublic": "2024-09-10T00:00:00.000Z", "descriptions": [ { "lang": "en", "supportingMedia": [ { "base64": false, "type": "text/html", "value": "\u003cp\u003eTopQuadrant TopBraid EDG before version 8.0.1 allows an authenticated attacker to upload an XML DTD file and execute JavaScript to read local files or access URLs (XXE). Fixed in 8.0.1 (bug fix: TBS-6721).\u003c/p\u003e" } ], "value": "TopQuadrant TopBraid EDG before version 8.0.1 allows an authenticated attacker to upload an XML DTD file and execute JavaScript to read local files or access URLs (XXE). Fixed in 8.0.1 (bug fix: TBS-6721)." } ], "metrics": [ { "cvssV3_1": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N", "version": "3.1" }, "format": "CVSS", "scenarios": [ { "lang": "en", "value": "GENERAL" } ] } ], "problemTypes": [ { "descriptions": [ { "cweId": "CWE-611", "description": "CWE-611 Improper Restriction of XML External Entity Reference", "lang": "en", "type": "CWE" } ] } ], "providerMetadata": { "dateUpdated": "2024-09-27T16:50:23.194Z", "orgId": "9119a7d8-5eab-497f-8521-727c672e3725", "shortName": "cisa-cg" }, "references": [ { "name": "url", "url": "https://raw.githubusercontent.com/cisagov/CSAF/develop/csaf_files/IT/white/2024/va-24-254-02.json" }, { "name": "url", "url": "https://www.topquadrant.com/wp-content/uploads/2024/06/changelog-8.0.1.txt" } ], "source": { "discovery": "UNKNOWN" }, "title": "TopQuadrant TopBraid EDG JavaScript console XXE", "x_generator": { "engine": "Vulnogram 0.2.0" } } }, "cveMetadata": { "assignerOrgId": "9119a7d8-5eab-497f-8521-727c672e3725", "assignerShortName": "cisa-cg", "cveId": "CVE-2024-45745", "datePublished": "2024-09-27T15:57:59.876Z", "dateReserved": "2024-09-05T23:12:56.519Z", "dateUpdated": "2024-09-27T17:43:27.032Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }