VYPR
← All advisories
Unrated severityNVD Advisory· Published Jun 16, 2023· Updated Aug 2, 2024

CVE-2023-30222

CVE-2023-30222

Description

An information disclosure vulnerability in 4D SAS 4D Server Application v17, v18, v19 R7 and earlier allows attackers to retrieve password hashes for all users via eavesdropping.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

An information disclosure vulnerability in 4D Server versions before v20 R4 allows attackers to retrieve password hashes for all users via network eavesdropping.

Vulnerability

An information disclosure vulnerability exists in 4D SAS 4D Server Application versions v17, v18, v19 R7 and earlier [1]. The vulnerability occurs because communication between the client and server can be read in clear form by anyone holding the server private key [2]. 4D ships default certificates and keys for development and testing, but the documentation recommends replacing them [2]. The communication on port 19812 does not use SSL even when encryption is enabled, and ports 19813 and 19814 use SSL with client certificates that are identical across all installations (included in the trial version) [1].

Exploitation

An attacker needs to be in a position to eavesdrop on the network traffic between a 4D client and server (e.g., man-in-the-middle) [1]. The attacker can use a trial version of 4D software, Burp Suite, and modified mitm_relay scripts to intercept and relay traffic [1]. The attacker can obtain the server private key (default keys are easily accessible) and then decrypt the communication to retrieve password hashes for all users [1][2]. The attack requires setting up a Kali Linux machine (for Burp Suite and scripts) and two Windows machines (for 4D client and 4D server) [1].

Impact

A successful attacker can retrieve password hashes for all users of the 4D server [1][2]. This leads to information disclosure of password hashes, which can be used for offline cracking or further authentication bypass attacks [1]. The impact is limited to password hash disclosure; no other server compromise is directly achieved.

## Mitigation 4D recommends replacing the default server private key with a customer-specific key [2]. Starting from 4D v20 R4, the server will automatically generate a new private key at each server start, ensuring each instance has a unique key [2]. There is no mention of a specific fixed version for the older branches (v17, v18, v19) other than the recommendation to replace keys and upgrade to v20 R4 or later [2]. The vulnerability is not listed in CISA's Known Exploited Vulnerabilities (KEV) catalog as of the publication date.

References
  1. Information disclosure and broken authentication in 4D SAS 4D Server
  2. Security bulletin: Two CVEs and how to stay secure - 4D Blog

AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

2
  • 4D SAS/4D Server Applicationdescription
  • 4D SAS/4D Serverllm-create
    Range: <= v19 R7

Patches

0

No patches discovered yet.

Vulnerability mechanics

No source-code context for this CVE — mechanics is only generated when we can read the actual fix diff. Without that, the four sections (root cause, attack vector, affected code, fix) would be speculation rather than analysis.

References

3

News mentions

0

No linked articles in our index yet.