CVE-2024-45744
Severity CVSS v4.0:
Pending analysis
Type:
CWE-257
Storing Passwords in a Recoverable Format
Publication date:
27/09/2024
Last modified:
18/02/2025
Description
TopQuadrant TopBraid EDG stores external credentials insecurely. An authenticated attacker with file system access can read edg-setup.properites and obtain the secret to decrypt external passwords stored in edg-vault.properties. An authenticated attacker could gain file system access using a separate vulnerability such as CVE-2024-45745. At least version 7.1.3 is affected. Version 7.3 adds HashiCorp Vault integration that does not store external passwords locally. Version 8.3.0 warns when using plain text secrets.
Impact
Base Score 3.x
3.00
Severity 3.x
LOW
References to Advisories, Solutions, and Tools
- https://raw.githubusercontent.com/cisagov/CSAF/develop/csaf_files/IT/white/2024/va-24-254-02.json
- https://www.topquadrant.com/doc/latest/administrator_guide/edg_installation_and_authentication/hashicorp_integration.html
- https://www.topquadrant.com/doc/latest/reference/PasswordManagementAdminPage.html
- https://www.topquadrant.com/release-note/7-3/
- https://www.topquadrant.com/wp-content/uploads/2025/02/changes-8.3.0.txt