Miggo Logo

GHSA-m8v7-469p-5x89: Hard-coded System User Credentials in Folio Data Export Spring module

5.3

CVSS Score
3.1

Basic Information

CVE ID
-
EPSS Score
-
CWE
-
Published
7/25/2023
Updated
7/25/2023
KEV Status
No
Technology
TechnologyJava

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
org.folio:mod-remote-storagemaven>= 2.0.0, < 2.0.32.0.3
org.folio:mod-remote-storagemaven< 1.7.21.7.2

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stemmed from hard-coded credentials in system user initialization flows. Key evidence includes:

  1. Pre-fix TenantController had a hard-coded SYSTEM_USER constant
  2. SecurityManagerService's credential handling lacked environment variable checks
  3. Kafka listener used static credentials for API key refresh
  4. The patch introduced @Value injections for credentials and environment variable validation in ModRemoteStorageApplication
  5. Commit diff shows removal of hard-coded references and addition of configuration-based credential loading

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Imp**t T** mo*ul* *r**t*s * syst*m us*r t**t is us** to p*r*orm int*rn*l mo*ul*-to-mo*ul* op*r*tions. *r***nti*ls *or t*is us*r *r* **r*-*o*** in t** sour** *o**. T*is m*k*s it trivi*l to *ut**nti**t* *s t*is us*r, *llowin* un*ut*oriz** r*** **

Reasoning

T** vuln*r**ility st*mm** *rom **r*-*o*** *r***nti*ls in syst*m us*r initi*liz*tion *lows. K*y *vi**n** in*lu**s: *. Pr*-*ix T*n*nt*ontroll*r *** * **r*-*o*** SYST*M_US*R *onst*nt *. S**urityM*n***rS*rvi**'s *r***nti*l **n*lin* l**k** *nvironm*nt v*r