ID Product Version Vulnerability
CVE-2019-25021 Scytl Secure Vote (sVote) 2.1 OrientDB Password

Description

The secure-data-manager implements an orient database.
It is possible to observe that the hardcoded credentials are the same for username and password:
/source-code/online-voting-secure-data-manager/secure-data-manager-backend/secure-data-manager-services/src/main/java/com/scytl/products/ov/sdm/infrastructure/DatabaseManagerFactory.java


public interface DatabaseManagerFactory {
/**
 * The default user name.
 */
String DEFAULT_USERNAME = OUser.ADMIN;

/**
 * The default password.
 */
String DEFAULT_PASSWORD = OUser.ADMIN;

/**
 * Creates a new database manager for given URL and the default user. This
 * is a shortcut for
 * {@code newDatabaseManager(url, DEFAULT_USERNAME, DEFAULT_PASSWORD)}.
 *
 * @param url
 *            the URL
 * @return the database manager
 */
DatabaseManager newDatabaseManager(String url);

/**
 * Creates a new database manager for given URL and user.
 *
 * @param url
 *            the URL
 * @param username
 *            the user name
 * @param password
 *            the password
 * @return the database manager
 */
DatabaseManager newDatabaseManager(String url, String username,
        String password);
}

There are two function overloads for the database-manager:

public final class DatabaseManagerFactoryImpl
    implements DatabaseManagerFactory {

@Override
public DatabaseManager newDatabaseManager(final String url) {
    return newDatabaseManager(url, DEFAULT_USERNAME, DEFAULT_PASSWORD);
}

@Override
public DatabaseManager newDatabaseManager(final String url,
        final String username, final String password) {
    return new DatabaseManagerImpl(url, username, password);
}
}
However searching for the function only reveals calls to the url:
evoting-solution-master/source-code/online-voting-secure-data-manager/secure-data-manager-backend/sdm-ws-rest/src/main/java/com/scytl/products/ov/sdm/ui/ws/rs/config/SecureDataManagerConfig.java:        return databaseManagerFactory.newDatabaseManager(databaseURL);
evoting-solution-master/source-code/online-voting-secure-data-manager/secure-data-manager-backend/secure-data-manager-services/src/main/java/com/scytl/products/ov/sdm/infrastructure/DatabaseManagerFactoryImpl.java:    public DatabaseManager newDatabaseManager(final String url) {
evoting-solution-master/source-code/online-voting-secure-data-manager/secure-data-manager-backend/secure-data-manager-services/src/main/java/com/scytl/products/ov/sdm/infrastructure/DatabaseManagerFactoryImpl.java:        return newDatabaseManager(url, DEFAULT_USERNAME, DEFAULT_PASSWORD);
evoting-solution-master/source-code/online-voting-secure-data-manager/secure-data-manager-backend/secure-data-manager-services/src/main/java/com/scytl/products/ov/sdm/infrastructure/DatabaseManagerFactoryImpl.java:    public DatabaseManager newDatabaseManager(final String url,
evoting-solution-master/source-code/online-voting-secure-data-manager/secure-data-manager-backend/secure-data-manager-services/src/main/java/com/scytl/products/ov/sdm/infrastructure/DatabaseManagerFactory.java:     * {@code newDatabaseManager(url, DEFAULT_USERNAME, DEFAULT_PASSWORD)}.
evoting-solution-master/source-code/online-voting-secure-data-manager/secure-data-manager-backend/secure-data-manager-services/src/main/java/com/scytl/products/ov/sdm/infrastructure/DatabaseManagerFactory.java:    DatabaseManager newDatabaseManager(String url);
evoting-solution-master/source-code/online-voting-secure-data-manager/secure-data-manager-backend/secure-data-manager-services/src/main/java/com/scytl/products/ov/sdm/infrastructure/DatabaseManagerFactory.java:    DatabaseManager newDatabaseManager(String url, String username,
evoting-solution-master/source-code/online-voting-secure-data-manager/secure-data-manager-backend/secure-data-manager-services/src/test/java/com/scytl/products/ov/sdm/infrastructure/DatabaseFixture.java:        databaseManager = factory.newDatabaseManager(url);
evoting-solution-master/source-code/online-voting-secure-data-manager/secure-data-manager-backend/secure-data-manager-services/src/test/java/com/scytl/products/ov/sdm/domain/config/ConfigTest.java:        return databaseManagerFactory.newDatabaseManager(url);
evoting-solution-master/source-code/online-voting-secure-data-manager/secure-data-manager-backend/sdm-db-utils/src/main/java/com/scytl/products/ov/sdm/db/utils/SpringConfig.java:        return new DatabaseManagerFactoryImpl().newDatabaseManager(url);
Which means the database can be acessed over admin:admin.

Timeline

Date Event
February 11 2020 Submitted vulnerability to vendor
February 13 2020 Vendor response (nofix)

Credits

Name Team
Anthony Schneiter SUID
Jannis Kirschner SUID