Miggo Logo
Miggo Vulnerability Database
CVE-2023-1712

CVE-2023-1712: Use of hard-coded, security-relevant constants in deepset-ai/haystack

9.8

CVSS Score
3.1

Basic Information

CVE ID
CVE-2023-1712
GHSA ID
GHSA-w7qg-j435-78qw
EPSS Score
0.50782%
CWE
CWE-547
Published
3/30/2023
Updated
4/6/2023
KEV Status
No
Technology
TechnologyPython

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
farm-haystackpip<= 1.15.0

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from hard-coded security constants in environment variable definitions within configuration files (docker-compose.yml and README.md), not from specific code functions. The commit diff shows hard-coded credentials/secrets like DEFAULT_ADMIN_PASSWORD, PROD_DB_PASSWORD, COOKIE_KEYS, and JWT_SECRET being defined with insecure default values. These are configuration-level issues rather than function-level vulnerabilities. The patch addresses this by removing hard-coded values and adding security warnings, but there's no evidence of vulnerable application logic functions in the provided code diffs or descriptions.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

Us* o* **r*-*o***, S**urity-r*l*v*nt *onst*nts in *it*u* r*pository ***ps*t-*i/**yst**k in v*rsion *.**.* *n* prior. * p*t** is *v*il**l* *t *ommit ****************************************.

Reasoning

T** vuln*r**ility st*ms *rom **r*-*o*** s**urity *onst*nts in *nvironm*nt v*ri**l* ***initions wit*in *on*i*ur*tion *il*s (*o*k*r-*ompos*.yml *n* R***M*.m*), not *rom sp**i*i* *o** *un*tions. T** *ommit *i** s*ows **r*-*o*** *r***nti*ls/s**r*ts lik*