CVE-2025-3838
MEDIUMSaviynt OVA based Connect - Improper Authorization and Weak Credential Hashing
Title source: llmDescription
An Improper Authorization vulnerability was identified in the EOL OVA based connect component which is deployed for installation purposes in the customer internal network. Under certain conditions, this could allow a bad actor to gain unauthorized access to the local db containing weakly hashed credentials of the installer. This EOL component was deprecated in September 2023 with end of support extended till January 2024.
References (1)
Core 1
Core References
Various Sources
https://saviynt.com/trust-compliance-security
Scores
CVSS v4
6.1
EPSS
0.0011
EPSS Percentile
1.5%
CVSS:4.0/AV:A/AC:H/AT:P/PR:N/UI:N/VC:L/VI:L/VA:H/SC:N/SI:N/SA:N
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
partial
Details
CWE
CWE-327
CWE-863
Status
published
Products (6)
Saviynt/OVA based Connect
AlmaLinux-8.x_SC2.0-Client-2.0
Saviynt/OVA based Connect
AlmaLinux-8.x_SC2.0-Client-3.0
Saviynt/OVA based Connect
CentOS-7.x_SC2.0-Client-2.0
Saviynt/OVA based Connect
CentOS-7.x_SC2.0-Client-3.0
Saviynt/OVA based Connect
RHEL-8.x_SC2.0-Client-2.0
Saviynt/OVA based Connect
RHEL-8.x_SC2.0-Client-3.0
Published
Apr 21, 2025
Tracked Since
Feb 18, 2026