Kiuwan, a code security firm owned by US-based Idera, took nearly two years to patch significant vulnerabilities in its static application security testing (SAST) products. The issues were identified by SEC Consult, a cybersecurity consultancy owned by Eviden, while using Kiuwan’s tools in customer projects. These vulnerabilities were first reported in November 2022, but patches were only released for the cloud-based version in February 2024 and the on-premises version in May 2024. SEC Consult described this as one of the longest coordinated vulnerability disclosure processes they had ever experienced.
The identified vulnerabilities included a reflected cross-site scripting (XSS) flaw affecting Kiuwan installations with Single Sign-On (SSO) enabled, allowing attackers to target the login page. Additionally, there was an XXE injection vulnerability, which could enable an attacker with scanning privileges to extract sensitive operating system files or initiate connections to internal systems. These flaws presented serious risks, potentially leading to unauthorized access to confidential information.
Another significant vulnerability allowed attackers to escalate privileges to root if they managed to compromise the application. Despite the potential severity, SEC Consult noted that chaining these vulnerabilities for a remote, unauthenticated attack would be complex due to the limited impact of the XSS flaw. The XSS vulnerability affected only specific configurations and could not directly steal session IDs through JavaScript.
Further issues included an insecure direct object reference (IDOR) bug, which could allow authenticated users to access information they shouldn’t be able to see. Additionally, Kiuwan’s Local Analyzer Java application was found to contain hardcoded secrets in plain text, which could potentially compromise the confidentiality of scan results. These security flaws underscore the importance of timely patching and the risks associated with prolonged vulnerability exposure.
Reference:
