Use of Hard-coded Credentials

CVE-2024-36496

High

7.5/10

Summary

The configuration file is encrypted with a static key derived from a static five-character password which allows an attacker to decrypt this file. The application hashes this five-character password with the outdated and broken MD5 algorithm (no salt) and uses the first five bytes as the key for RC4. The configuration file is then encrypted with these parameters.

Attack Complexity: LOW
Attack Vector: NETWORK
Integrity Impact: NONE
Scope: UNCHANGED
User Interaction: NONE
Privileges Required: NONE
Confidentiality Impact: HIGH
Availability Impact: NONE

CWE-798 - Use of Hard-coded Credentials

The software contains hard-coded credentials, such as a password or cryptographic key, which it uses for its own inbound authentication, outbound communication to external components, or encryption of internal data.

References

Advisory Timeline

Published Jun 24, 2024

Use of Hard-coded Credentials

CVE-2024-36496

Summary

CWE-798 - Use of Hard-coded Credentials

References

Advisory Timeline

ChainJacking

JetBrains IDE

KICS SaaS