Description

TopQuadrant TopBraid EDG stores external credentials insecurely. An authenticated attacker with file system access can read edg-setup.properites and obtain the secret to decrypt external passwords stored in edg-vault.properties. An authenticated attacker could gain file system access using a separate vulnerability such as CVE-2024-45745. At least version 7.1.3 is affected. Version 7.3 adds HashiCorp Vault integration that does not store external passwords locally. Version 8.3.0 warns when using plain text secrets.

Related CPE's

a

topquadrant

topbraid_edg

7.1.3

Vulnerable

References

https://raw.githubusercontent.com/cisagov/CSAF/develop/csaf_files/IT/white/2024/va-24-254-02.json

Third Party Advisory

https://www.topquadrant.com/doc/latest/administrator_guide/edg_installation_and_authentication/hashicorp_integration.html

Technical Description

https://www.topquadrant.com/doc/latest/reference/PasswordManagementAdminPage.html

Technical Description

https://www.topquadrant.com/release-note/7-3/

Release Notes

https://www.topquadrant.com/wp-content/uploads/2025/02/changes-8.3.0.txt

Release Notes

Weaknesses

9119a7d8-5eab-497f-8521-727c672e3725

Secondary
CWE-257CWE-312

[email protected]

Primary
CWE-522

CVSS impact metrics

CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:N/A:N

3 · Low

Information

Source identifier

9119a7d8-5eab-497f-8521-727c672e3725

Vulnerability status

Modified

Published

2024-09-27T14:15:04.940Z

1 year ago

Last modified

2025-10-02T13:15:52.620Z

5 months ago