It took code security firm Kiuwan nearly two years to patch several potentially serious vulnerabilities discovered in its static application security testing (SAST) products.
Kiuwan is owned by US-based B2B productivity tools provider Idera. The vulnerabilities were found in the Kiuwan SAST and Local Analyzer products by a researcher at Eviden-owned cybersecurity consultancy SEC Consult, which uses the Kiuwan SAST tool for finding security issues in customer projects.
SEC Consult published an advisory describing its ‘critical’ findings on Thursday. The issues were first reported to the vendor in November 2022, and patches were released for the cloud-based product in February 2024 and the on-premises version in late May.
Johannes Greil, head of SEC Consult’s Vulnerability Lab, who handled communications with the vendor, described it as the longest coordinated vulnerability disclosure process ever.
The vulnerabilities include a reflected cross-site scripting (XSS) flaw affecting Kiuwan installations with SSO enabled, which allows an unauthenticated attacker to conduct an attack on the login page.
SEC Consult also found an XXE injection vulnerability allowing an attacker who has privileges to scan source code to extract any operating system files, including sensitive files containing configurations and passwords.
“Furthermore, this vulnerability also allows an attacker to initiate connections to internal systems, e.g. for port scans or accessing other internal functions / applications such as the Wildfly admin console of Kiuwan,” SEC Consult explained in its advisory.
The company also discovered a vulnerability that allows an attacker who can compromise the application to escalate privileges to root.
Greil told SecurityWeek that while in theory these vulnerabilities could be chained to compromise the targeted system remotely and without authentication, conducting such an attack would be complex due to the limited impact of the XSS flaw, which only affects certain configurations and which cannot be used directly to steal session IDs via JavaScript.
SEC Consult also found that the Kiuwan applications are impacted by an insecure direct object reference (IDOR) bug, which allows authenticated users to view information they should not have access to.
The company also discovered that the Kiuwan Local Analyzer (KLA) Java application contains several hardcoded secrets in plain text, which could potentially compromise the confidentiality of scan results.
SecurityWeek reached out to Kiuwan several days before this article was published for clarifications on why it took so long to patch the vulnerabilities, but the company has not responded.
Related: Trend Micro Patches Exploited Zero-Day Vulnerability in Endpoint Security Products
Related: Perimeter81 Vulnerability Disclosed After Botched Disclosure Process
Related: Barracuda Zero-Day Exploited to Deliver Malware for Months Before Discovery
