CVE-2024-45744 (GCVE-0-2024-45744)
Vulnerability from cvelistv5
Published
2024-09-27 15:56
Modified
2025-10-02 14:09
Severity ?
3.0 (Low) - CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:N/A:N
CWE
  • CWE-257 - Storing Passwords in a Recoverable Format
  • CWE-312 - Cleartext Storage of Sensitive Information
Summary
TopQuadrant TopBraid EDG stores external credentials insecurely. An authenticated attacker with file system access can read edg-setup.properites and obtain the secret to decrypt external passwords stored in edg-vault.properties. An authenticated attacker could gain file system access using a separate vulnerability such as CVE-2024-45745. At least version 7.1.3 is affected. Version 7.3 adds HashiCorp Vault integration that does not store external passwords locally. Version 8.3.0 warns when using plain text secrets.
References
Impacted products
Vendor Product Version
TopQuadrant TopBraid EDG Version: 7.1.3
 Create a notification for this product.
Show details on NVD website

To clipboard 

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2024-45744",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-09-27T17:44:24.546908Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-09-27T17:44:33.233Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unknown",
          "product": "TopBraid EDG",
          "vendor": "TopQuadrant",
          "versions": [
            {
              "status": "affected",
              "version": "7.1.3"
            }
          ]
        }
      ],
      "datePublic": "2024-09-27T00:00:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "value": "TopQuadrant TopBraid EDG stores external credentials insecurely. An authenticated attacker with file system access can read edg-setup.properites and obtain the secret to decrypt external passwords stored in edg-vault.properties. An authenticated attacker could gain file system access using a separate vulnerability such as CVE-2024-45745.\u00a0At least version 7.1.3 is affected. Version 7.3 adds HashiCorp Vault integration that does not store external passwords locally. Version 8.3.0 warns when using plain text secrets."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 3,
            "baseSeverity": "LOW",
            "confidentialityImpact": "LOW",
            "integrityImpact": "NONE",
            "privilegesRequired": "HIGH",
            "scope": "CHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:N/A:N",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-257",
              "description": "CWE-257 Storing Passwords in a Recoverable Format",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-312",
              "description": "CWE-312 Cleartext Storage of Sensitive Information",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-10-02T14:09:27.993Z",
        "orgId": "9119a7d8-5eab-497f-8521-727c672e3725",
        "shortName": "cisa-cg"
      },
      "references": [
        {
          "name": "url",
          "url": "https://raw.githubusercontent.com/cisagov/CSAF/develop/csaf_files/IT/white/2024/va-24-254-02.json"
        },
        {
          "name": "url",
          "url": "https://www.topquadrant.com/doc/latest/reference/PasswordManagementAdminPage.html"
        },
        {
          "name": "url",
          "url": "https://www.topquadrant.com/doc/latest/administrator_guide/edg_installation_and_authentication/hashicorp_integration.html"
        },
        {
          "name": "url",
          "url": "https://www.topquadrant.com/release-note/7-3/"
        },
        {
          "name": "url",
          "url": "https://www.topquadrant.com/wp-content/uploads/2025/02/changes-8.3.0.txt"
        }
      ],
      "title": "TopQuadrant TopBraid EDG password manager stores external credentials insecurely"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "9119a7d8-5eab-497f-8521-727c672e3725",
    "assignerShortName": "cisa-cg",
    "cveId": "CVE-2024-45744",
    "datePublished": "2024-09-27T15:56:11.980Z",
    "dateReserved": "2024-09-05T23:12:56.519Z",
    "dateUpdated": "2025-10-02T14:09:27.993Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2024-45744\",\"sourceIdentifier\":\"9119a7d8-5eab-497f-8521-727c672e3725\",\"published\":\"2024-09-27T16:15:04.940\",\"lastModified\":\"2025-10-02T15:15:52.620\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"TopQuadrant TopBraid EDG stores external credentials insecurely. An authenticated attacker with file system access can read edg-setup.properites and obtain the secret to decrypt external passwords stored in edg-vault.properties. An authenticated attacker could gain file system access using a separate vulnerability such as CVE-2024-45745.\u00a0At least version 7.1.3 is affected. Version 7.3 adds HashiCorp Vault integration that does not store external passwords locally. Version 8.3.0 warns when using plain text secrets.\"},{\"lang\":\"es\",\"value\":\"TopQuadrant TopBraid EDG almacena credenciales externas de forma insegura. Un atacante autenticado con acceso al sistema de archivos puede leer edg-setup.properites y obtener el secreto para descifrar las contrase\u00f1as externas almacenadas en edg-vault.properties. Un atacante autenticado podr\u00eda obtener acceso al sistema de archivos utilizando una vulnerabilidad independiente como CVE-2024-45745. Al menos la versi\u00f3n 7.1.3 est\u00e1 afectada. La versi\u00f3n 7.3 agrega la integraci\u00f3n de HashiCorp Vault que no almacena las contrase\u00f1as externas de forma local.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"9119a7d8-5eab-497f-8521-727c672e3725\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:N/A:N\",\"baseScore\":3.0,\"baseSeverity\":\"LOW\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"HIGH\",\"privilegesRequired\":\"HIGH\",\"userInteraction\":\"NONE\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":1.3,\"impactScore\":1.4},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N\",\"baseScore\":4.3,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":2.8,\"impactScore\":1.4}]},\"weaknesses\":[{\"source\":\"9119a7d8-5eab-497f-8521-727c672e3725\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-257\"},{\"lang\":\"en\",\"value\":\"CWE-312\"}]},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-522\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:topquadrant:topbraid_edg:7.1.3:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"6106B9F4-797A-48F2-A625-64220550527C\"}]}]}],\"references\":[{\"url\":\"https://raw.githubusercontent.com/cisagov/CSAF/develop/csaf_files/IT/white/2024/va-24-254-02.json\",\"source\":\"9119a7d8-5eab-497f-8521-727c672e3725\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://www.topquadrant.com/doc/latest/administrator_guide/edg_installation_and_authentication/hashicorp_integration.html\",\"source\":\"9119a7d8-5eab-497f-8521-727c672e3725\",\"tags\":[\"Technical Description\"]},{\"url\":\"https://www.topquadrant.com/doc/latest/reference/PasswordManagementAdminPage.html\",\"source\":\"9119a7d8-5eab-497f-8521-727c672e3725\",\"tags\":[\"Technical Description\"]},{\"url\":\"https://www.topquadrant.com/release-note/7-3/\",\"source\":\"9119a7d8-5eab-497f-8521-727c672e3725\",\"tags\":[\"Release Notes\"]},{\"url\":\"https://www.topquadrant.com/wp-content/uploads/2025/02/changes-8.3.0.txt\",\"source\":\"9119a7d8-5eab-497f-8521-727c672e3725\",\"tags\":[\"Release Notes\"]}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2024-45744\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2024-09-27T17:44:24.546908Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2024-09-27T17:44:29.242Z\"}}], \"cna\": {\"title\": \"TopQuadrant TopBraid EDG password manager stores external credentials insecurely\", \"metrics\": [{\"format\": \"CVSS\", \"cvssV3_1\": {\"scope\": \"CHANGED\", \"version\": \"3.1\", \"baseScore\": 3, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"LOW\", \"vectorString\": \"CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:N/A:N\", \"integrityImpact\": \"NONE\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"HIGH\", \"availabilityImpact\": \"NONE\", \"privilegesRequired\": \"HIGH\", \"confidentialityImpact\": \"LOW\"}, \"scenarios\": [{\"lang\": \"en\", \"value\": \"GENERAL\"}]}], \"affected\": [{\"vendor\": \"TopQuadrant\", \"product\": \"TopBraid EDG\", \"versions\": [{\"status\": \"affected\", \"version\": \"7.1.3\"}], \"defaultStatus\": \"unknown\"}], \"datePublic\": \"2024-09-27T00:00:00.000Z\", \"references\": [{\"url\": \"https://raw.githubusercontent.com/cisagov/CSAF/develop/csaf_files/IT/white/2024/va-24-254-02.json\", \"name\": \"url\"}, {\"url\": \"https://www.topquadrant.com/doc/latest/reference/PasswordManagementAdminPage.html\", \"name\": \"url\"}, {\"url\": \"https://www.topquadrant.com/doc/latest/administrator_guide/edg_installation_and_authentication/hashicorp_integration.html\", \"name\": \"url\"}, {\"url\": \"https://www.topquadrant.com/release-note/7-3/\", \"name\": \"url\"}, {\"url\": \"https://www.topquadrant.com/wp-content/uploads/2025/02/changes-8.3.0.txt\", \"name\": \"url\"}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"TopQuadrant TopBraid EDG stores external credentials insecurely. An authenticated attacker with file system access can read edg-setup.properites and obtain the secret to decrypt external passwords stored in edg-vault.properties. An authenticated attacker could gain file system access using a separate vulnerability such as CVE-2024-45745.\\u00a0At least version 7.1.3 is affected. Version 7.3 adds HashiCorp Vault integration that does not store external passwords locally. Version 8.3.0 warns when using plain text secrets.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-257\", \"description\": \"CWE-257 Storing Passwords in a Recoverable Format\"}]}, {\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-312\", \"description\": \"CWE-312 Cleartext Storage of Sensitive Information\"}]}], \"providerMetadata\": {\"orgId\": \"9119a7d8-5eab-497f-8521-727c672e3725\", \"shortName\": \"cisa-cg\", \"dateUpdated\": \"2025-10-02T14:09:27.993Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2024-45744\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-10-02T14:09:27.993Z\", \"dateReserved\": \"2024-09-05T23:12:56.519Z\", \"assignerOrgId\": \"9119a7d8-5eab-497f-8521-727c672e3725\", \"datePublished\": \"2024-09-27T15:56:11.980Z\", \"assignerShortName\": \"cisa-cg\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.