5.3

CVSS Score

3.1

-

CVSS Score

Basic Information

CVE ID

GHSA ID

GHSA-m8v7-469p-5x89

EPSS Score

CWE

Published

7/25/2023

Updated

7/25/2023

KEV Status

Technology

Java

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

GHSA-m8v7-469p-5x89

GHSA-m8v7-469p-5x89: Hard-coded System User Credentials in Folio Data Export Spring module

Impact

The module creates a system user that is used to perform internal module-to-module operations. Credentials for this user are hard-coded in the source code. This makes it trivial to authenticate as this user, allowing unauthorized read access to these mod-inventory-storage records: instances, holdings, items, contributor-types, identifier-types. This includes records marked as suppressed from discovery.

Patches

Upgrade mod-remote-storage to >=2.0.3, or a 1.7.x version >=1.7.1.

Workarounds

No known workarounds.

References

https://wiki.folio.org/x/hbMMBw - FOLIO Security Advisory with Upgrade Instructions https://github.com/folio-org/mod-remote-storage/commit/57df495f76e9aa5be9ce7ce3a65f89b6dbcbc13b - Fix

(GitHub Advisory)

Miggo Vulnerability Database

→

GHSA-m8v7-469p-5x89

GHSA-m8v7-469p-5x89:

5.3

CVSS Score

3.1

-

CVSS Score

Basic Information

CVE ID

GHSA ID

GHSA-m8v7-469p-5x89

EPSS Score

CWE

Published

7/25/2023

Updated

7/25/2023

KEV Status

Technology

Java

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
org.folio:mod-remote-storage	maven	>= 2.0.0, < 2.0.3	2.0.3
org.folio:mod-remote-storage	maven	< 1.7.2	1.7.2

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stemmed from hard-coded credentials in system user initialization flows. Key evidence includes:

Pre-fix TenantController had a hard-coded SYSTEM_USER constant
SecurityManagerService's credential handling lacked environment variable checks
Kafka listener used static credentials for API key refresh
The patch introduced @Value injections for credentials and environment variable validation in ModRemoteStorageApplication
Commit diff shows removal of hard-coded references and addition of configuration-based credential loading

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

5.3

-

Basic Information

Basic Information

Concerned about an active attack path?

GHSA-m8v7-469p-5x89: Hard-coded System User Credentials in Folio Data Export Spring module

Impact

Patches

Workarounds

References

GHSA-m8v7-469p-5x89:

5.3

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Basic Information

Basic Information

GHSA-m8v7-469p-5x89: Hard-coded System User Credentials in Folio Data Export Spring module

Impact

Patches

Workarounds

References

Technical Details

5.3

5.3

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI