CVE-2024-33849

CVSS 6.5 MEDIUMEPSS 0.4%CWE-1391 CWE-321 CWE-522 CWE-657

In short

The CI-Out-of-Office Manager software uses a fixed encryption key that doesn't change, making it possible for attackers to decrypt sensitive data if they obtain the encrypted information. This is a serious security flaw because the key should be unique and secret for each installation.

Technical detail

CVE-2024-33849 involves a hard-coded cryptographic key in CI-Out-of-Office Manager up to version 6.0.0.77, allowing an attacker with access to encrypted data to decrypt it without authorization. The vulnerability stems from use of a static, non-unique key (CWE-321) combined with inadequate secrets management (CWE-522), enabling circumvention of encryption-based protection mechanisms and potential exposure of confidential information.

Summary generated and translated by AI from the official description.

ci solution CI-Out-of-Office Manager through 6.0.0.77 uses a Hard-coded Cryptographic Key.

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Affected products

n/a · n/a

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://www.ci-solution.com/produkte/ps-out-of-office.html https://www.syss.de/pentest-blog/rechteausweitung-durch-unsichere-standardkonfiguration-im-ci-out-of-office-manager-syss-2024-013