CVE-2025-3838

Summary

An Improper Authorization vulnerability was identified in the EOL OVA based connect component which is deployed for installation purposes in the customer internal network. Under certain conditions, this could allow a bad actor to gain unauthorized access to the local db containing weakly hashed credentials of the installer. This EOL component was deprecated in September 2023 with end of support extended till January 2024.

Affected Software

VendorProductVersion RangeStatus
SaviyntOVA based ConnectAlmaLinux-8.x_SC2.0-Client-2.0affected
SaviyntOVA based ConnectAlmaLinux-8.x_SC2.0-Client-3.0affected
SaviyntOVA based ConnectCentOS-7.x_SC2.0-Client-2.0affected
SaviyntOVA based ConnectCentOS-7.x_SC2.0-Client-3.0affected
SaviyntOVA based ConnectRHEL-8.x_SC2.0-Client-2.0affected
SaviyntOVA based ConnectRHEL-8.x_SC2.0-Client-3.0affected

Weaknesses

  • CWE-863: CWE-863 Incorrect Authorization
  • CWE-327: CWE-327 Use of a Broken or Risky Cryptographic Algorithm

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References