Password hash information exposure
Affected product(s)
- Develocity starting with 2020.4, fixed in 2024.1.9.
- Develocity starting with 2024.2, fixed in 2024.2.7.
- Develocity starting with 2024.3, fixed in 2024.3.1.
Severity
High
Published at
2025-01-22
Related CVE ID(s)
Description
A vulnerability in Develocity allows an attacker who has network access to a Develocity server to obtain the hashed password of the "system" user. The hash algorithm used by Develocity was chosen according to best practices for password storage and provides some protection against brute-force attempts.
The applicable severity of this vulnerability depends on whether a Develocity server is accessible by external or unauthorized users, and the complexity of the system user password.
Mitigation
Upgrade to Develocity 2024.1.9, 2024.2.7, 2024.3.1 or later. Use of the latest Develocity version is strongly recommended for all new installations.
After upgrading, it is recommended to change the password of the "system" user to a long and complex password that adheres to best practices.