SEC Consult Vulnerability Lab CWE-312

The Kiuwan Local Analyzer (KLA) Java scanning application contains several 
hard-coded secrets in plain text format. In some cases, this can 
potentially compromise the confidentiality of the scan results. Several credentials were found in the JAR files of the Kiuwan Local Analyzer.

The
 JAR file "lib.engine/insight/optimyth-insight.jar" contains the file 
"InsightServicesConfig.properties", which has the configuration tokens 
"insight.github.user" as well as "insight.github.password" prefilled 
with credentials. At least the specified username corresponds to a valid
 GitHub account. The
 JAR file "lib.engine/insight/optimyth-insight.jar" also contains the 
file "es/als/security/Encryptor.properties", in which the key used for 
encrypting the results of any performed scan.




This issue affects Kiuwan SAST: <master.1808.p685.q13371

SEC Consult Vulnerability Lab https://r.sec-consult.com/kiuwan [No types assigned]

SEC Consult Vulnerability Lab https://www.kiuwan.com/docs/display/K5/%5B2024-05-30%5D+Change+Log [No types assigned]