CVE-2023-31056

Vulnerability

CVE-2023-31056 affects CloverDX Server versions 5.14.0 through 5.17.2, 5.15.x before 5.15.4, 5.16.x before 5.16.2, and 5.17.x before 5.17.3. When the audit log is enabled (logging.logger.server_audit.enabled) and single sign-on (SSO) is not employed, user passwords are written to the audit log in plain text [1]. The default configuration does not disable the audit log, and internally managed accounts or LDAP without SSO are affected [1].

Exploitation

An attacker requires read access to the CloverDX Server audit log files, stored in the directory specified by cloverlogs.dir [1]. No authentication is needed beyond filesystem access to the logs. If the audit log is enabled and SSO is not used, every login action that involves a password will cause the password to be written to the log file [1]. The attacker can then retrieve passwords from the log entries.

Impact

Successful exploitation leads to disclosure of user passwords in plain text, compromising the confidentiality of credentials [1]. An attacker with these passwords can impersonate legitimate users, potentially gaining elevated privileges in the CloverDX environment depending on the user account compromised.

Mitigation

Fixed versions are 5.15.4, 5.16.2, 5.17.3, and 6.0.x [1]. Users on affected versions should upgrade immediately. As a workaround, disable the audit log by setting logging.logger.server_audit.enabled to false and delete existing audit log files containing sensitive data [1]. The vulnerability does not affect versions before 5.14.0 or systems using SSO [1].