Description
Kiuwan provides an API endpoint /saas/rest/v1/info/application to get information about any application, providing only its name via the "application" parameter. This endpoint lacks proper access control mechanisms, allowing other authenticated users to read information about applications, even though they have not been granted the necessary rights to do so. This issue affects Kiuwan SAST: <master.1808.p685.q13371
References (3)
Core 3
Core References
Mailing List
http://seclists.org/fulldisclosure/2024/Jun/3
Various Sources third-party-advisory
https://r.sec-consult.com/kiuwan
Various Sources release-notes
https://www.kiuwan.com/docs/display/K5/%5B2024-05-30%5D+Change+Log
Scores
CVSS v3
6.5
EPSS
0.0013
EPSS Percentile
31.5%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
no
Technical Impact
partial
Details
CWE
CWE-639
Status
published
Products (1)
Kiuwan/SAST
<master.1808.p685.q13371
Published
Jun 20, 2024
Tracked Since
Feb 18, 2026