ID Product Version Vulnerability
CVE-2019-25021 Scytl Secure Vote (sVote) 2.1 OrientDB Password

Description

The secure-data-manager implements an orient database.
It is possible to observe that the hardcoded credentials are the same for username and password: /source-code/online-voting-secure-data-manager/secure-data-manager-backend/secure-data-manager-services/src/main/java/com/scytl/products/ov/sdm/infrastructure/DatabaseManagerFactory.java

public interface DatabaseManagerFactory { /** * The default user name. */ String DEFAULT_USERNAME = OUser.ADMIN; /** * The default password. */ String DEFAULT_PASSWORD = OUser.ADMIN; /** * Creates a new database manager for given URL and the default user. This * is a shortcut for * {@code newDatabaseManager(url, DEFAULT_USERNAME, DEFAULT_PASSWORD)}. * * @param url * the URL * @return the database manager */ DatabaseManager newDatabaseManager(String url); /** * Creates a new database manager for given URL and user. * * @param url * the URL * @param username * the user name * @param password * the password * @return the database manager */ DatabaseManager newDatabaseManager(String url, String username, String password); } There are two function overloads for the database-manager:

public final class DatabaseManagerFactoryImpl implements DatabaseManagerFactory { @Override public DatabaseManager newDatabaseManager(final String url) { return newDatabaseManager(url, DEFAULT_USERNAME, DEFAULT_PASSWORD); } @Override public DatabaseManager newDatabaseManager(final String url, final String username, final String password) { return new DatabaseManagerImpl(url, username, password); } } However searching for the function only reveals calls to the url:
evoting-solution-master/source-code/online-voting-secure-data-manager/secure-data-manager-backend/sdm-ws-rest/src/main/java/com/scytl/products/ov/sdm/ui/ws/rs/config/SecureDataManagerConfig.java: return databaseManagerFactory.newDatabaseManager(databaseURL); evoting-solution-master/source-code/online-voting-secure-data-manager/secure-data-manager-backend/secure-data-manager-services/src/main/java/com/scytl/products/ov/sdm/infrastructure/DatabaseManagerFactoryImpl.java: public DatabaseManager newDatabaseManager(final String url) { evoting-solution-master/source-code/online-voting-secure-data-manager/secure-data-manager-backend/secure-data-manager-services/src/main/java/com/scytl/products/ov/sdm/infrastructure/DatabaseManagerFactoryImpl.java: return newDatabaseManager(url, DEFAULT_USERNAME, DEFAULT_PASSWORD); evoting-solution-master/source-code/online-voting-secure-data-manager/secure-data-manager-backend/secure-data-manager-services/src/main/java/com/scytl/products/ov/sdm/infrastructure/DatabaseManagerFactoryImpl.java: public DatabaseManager newDatabaseManager(final String url, evoting-solution-master/source-code/online-voting-secure-data-manager/secure-data-manager-backend/secure-data-manager-services/src/main/java/com/scytl/products/ov/sdm/infrastructure/DatabaseManagerFactory.java: * {@code newDatabaseManager(url, DEFAULT_USERNAME, DEFAULT_PASSWORD)}. evoting-solution-master/source-code/online-voting-secure-data-manager/secure-data-manager-backend/secure-data-manager-services/src/main/java/com/scytl/products/ov/sdm/infrastructure/DatabaseManagerFactory.java: DatabaseManager newDatabaseManager(String url); evoting-solution-master/source-code/online-voting-secure-data-manager/secure-data-manager-backend/secure-data-manager-services/src/main/java/com/scytl/products/ov/sdm/infrastructure/DatabaseManagerFactory.java: DatabaseManager newDatabaseManager(String url, String username, evoting-solution-master/source-code/online-voting-secure-data-manager/secure-data-manager-backend/secure-data-manager-services/src/test/java/com/scytl/products/ov/sdm/infrastructure/DatabaseFixture.java: databaseManager = factory.newDatabaseManager(url); evoting-solution-master/source-code/online-voting-secure-data-manager/secure-data-manager-backend/secure-data-manager-services/src/test/java/com/scytl/products/ov/sdm/domain/config/ConfigTest.java: return databaseManagerFactory.newDatabaseManager(url); evoting-solution-master/source-code/online-voting-secure-data-manager/secure-data-manager-backend/sdm-db-utils/src/main/java/com/scytl/products/ov/sdm/db/utils/SpringConfig.java: return new DatabaseManagerFactoryImpl().newDatabaseManager(url); Which means the database can be acessed over admin:admin.

Disclosure Timeline

Credit

Jannis Kirschner & Anthony Schneiter from Team SUID