Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Vulnerabilities Patched in Kiuwan Code Security Products After Long Disclosure Process

It took code security firm Kiuwan nearly two years to patch several serious vulnerabilities found in its SAST products.

It took code security firm Kiuwan nearly two years to patch several potentially serious vulnerabilities discovered in its static application security testing (SAST) products.

Kiuwan is owned by US-based B2B productivity tools provider Idera. The vulnerabilities were found in the Kiuwan SAST and Local Analyzer products by a researcher at Eviden-owned cybersecurity consultancy SEC Consult, which uses the Kiuwan SAST tool for finding security issues in customer projects.

SEC Consult published an advisory describing its ‘critical’ findings on Thursday. The issues were first reported to the vendor in November 2022, and patches were released for the cloud-based product in February 2024 and the on-premises version in late May. 

Johannes Greil, head of SEC Consult’s Vulnerability Lab, who handled communications with the vendor, described it as the longest coordinated vulnerability disclosure process ever.

The vulnerabilities include a reflected cross-site scripting (XSS) flaw affecting Kiuwan installations with SSO enabled, which allows an unauthenticated attacker to conduct an attack on the login page. 

SEC Consult also found an XXE injection vulnerability allowing an attacker who has privileges to scan source code to extract any operating system files, including sensitive files containing configurations and passwords. 

“Furthermore, this vulnerability also allows an attacker to initiate connections to internal systems, e.g. for port scans or accessing other internal functions / applications such as the Wildfly admin console of Kiuwan,” SEC Consult explained in its advisory.

The company also discovered a vulnerability that allows an attacker who can compromise the application to escalate privileges to root. 

Advertisement. Scroll to continue reading.

Greil told SecurityWeek that while in theory these vulnerabilities could be chained to compromise the targeted system remotely and without authentication, conducting such an attack would be complex due to the limited impact of the XSS flaw, which only affects certain configurations and which cannot be used directly to steal session IDs via JavaScript.

SEC Consult also found that the Kiuwan applications are impacted by an insecure direct object reference (IDOR) bug, which allows authenticated users to view information they should not have access to. 

The company also discovered that the Kiuwan Local Analyzer (KLA) Java application contains several hardcoded secrets in plain text, which could potentially compromise the confidentiality of scan results.

SecurityWeek reached out to Kiuwan several days before this article was published for clarifications on why it took so long to patch the vulnerabilities, but the company has not responded. 

Related: Trend Micro Patches Exploited Zero-Day Vulnerability in Endpoint Security Products

Related: Perimeter81 Vulnerability Disclosed After Botched Disclosure Process

Related: Barracuda Zero-Day Exploited to Deliver Malware for Months Before Discovery

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

The AI Risk Summit brings together security and risk management executives, AI researchers, policy makers, software developers and influential business and government stakeholders.

Register

People on the Move

Gabriel Agboruche has been named Executive Director of OT and Cybersecurity at Jacobs.

Data security startup Reco adds Merritt Baer as CISO

Chris Pashley has been named CISO at Advanced Research Projects Agency for Health (ARPA-H).

More People On The Move

Expert Insights