Toshiba CHEC, versions 6.6, 6.7, and possibly earlier, contain a hard-coded cryptographic key.
CWE-321: Use of Hard-coded Cryptographic Key - CVE-2014-4875
Toshiba CHEC, versions 6.6, 6.7, and possibly earlier, contain a hard-coded cryptographic key in the CreateBossCredentials.jar file. An attacker that can access the bossinfo.pro file may be able to use the hard-coded AES key to decrypt its contents, including the BOSS database credentials.
A remote, authenticated attacker may be able to acquire privileged credentials to the BOSS database.
Apply an update
Toshiba Commerce Solutions
Thanks to David Odell for reporting this vulnerability.
|Date First Published:||2015-06-08|
|Date Last Updated:||2015-06-08 13:54 UTC|