Miggo Logo
Miggo Vulnerability Database
CVE-2022-25510

CVE-2022-25510: Hard coded credentials in FreeTAKServer

8.8

CVSS Score
3.1

Basic Information

CVE ID
CVE-2022-25510
GHSA ID
GHSA-f897-875p-23x7
EPSS Score
0.50571%
CWE
CWE-798
Published
3/12/2022
Updated
11/26/2024
KEV Status
No
Technology
TechnologyPython

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
FreeTAKServerpip<= 1.9.81.9.8.5

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from hardcoded Flask secret keys identified in the GitHub issue (#292). While exact code isn't shown, Flask applications typically configure the secret key during app initialization (create_app pattern) or via configuration classes. The high confidence comes from: 1) CWE-798 explicitly calling out hardcoded credentials, 2) GHSA confirmation of static secret key, and 3) standard Flask security practices requiring dynamic secret management. The functions responsible for setting app.secret_key with a static value are the root cause.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*r**T*KS*rv*r *.*.* *ont*ins * **r**o*** *l*sk s**r*t k*y w*i** *llows *tt**k*rs to *r**t* *r**t** *ooki*s to *yp*ss *ut**nti**tion or *s**l*t* privil***s.

Reasoning

T** vuln*r**ility st*ms *rom **r**o*** *l*sk s**r*t k*ys i**nti*i** in t** *it*u* issu* (#***). W*il* *x**t *o** isn't s*own, *l*sk *ppli**tions typi**lly *on*i*ur* t** s**r*t k*y *urin* *pp initi*liz*tion (*r**t*_*pp p*tt*rn) or vi* *on*i*ur*tion *l