CVE-2023-49112 is a vulnerability identified in Kiuwan SAST, a Static Application Security Testing tool, affecting versions prior to master.1808.p685.q13371. The issue resides in the API endpoint /saas/rest/v1/info/application, which is designed to provide information about applications based on the application name parameter. However, this endpoint lacks adequate access control checks, allowing any authenticated user to query information about any application, regardless of their assigned permissions. This represents a broken access control vulnerability (CWE-639), where authorization is insufficiently enforced. The vulnerability does not require user interaction and can be exploited remotely over the network (AV:N), with low attack complexity (AC:L). The attacker must have some level of authentication (PR:L), but no further privileges or user interaction are needed. The impact is primarily on confidentiality, as unauthorized users can access sensitive application metadata or details that should be restricted. There is no impact on integrity or availability. No known exploits are reported in the wild as of the publication date (June 20, 2024). The vulnerability is rated medium severity with a CVSS 3.1 base score of 6.5, reflecting the balance between ease of exploitation and the limited scope of impact. The lack of patch links suggests that a fix may be pending or distributed through vendor channels.

For European organizations, the primary impact of CVE-2023-49112 is unauthorized disclosure of sensitive application information managed within Kiuwan SAST. This could lead to leakage of intellectual property, exposure of application architecture details, or insights that facilitate further targeted attacks such as social engineering or exploitation of other vulnerabilities. Organizations relying on Kiuwan SAST for secure software development lifecycle (SDLC) processes may find their confidentiality assurances weakened. While the vulnerability does not directly compromise system integrity or availability, the information disclosure could indirectly increase risk exposure. European companies in sectors with high software development activity, including finance, manufacturing, and technology, may be particularly concerned. Additionally, regulatory frameworks such as GDPR emphasize data confidentiality, so unauthorized data exposure could have compliance implications if personal or sensitive data is involved in the application metadata.

1. Apply vendor-provided patches or updates as soon as they become available to address the access control flaw in Kiuwan SAST. 2. Until patches are applied, restrict access to the Kiuwan SAST API endpoint via network segmentation and firewall rules, limiting access only to trusted users and systems. 3. Enforce strict authentication and authorization policies within Kiuwan SAST, reviewing user roles and permissions to minimize unnecessary access. 4. Monitor API access logs for unusual or unauthorized queries to detect potential exploitation attempts. 5. Consider implementing additional application-layer access controls or API gateways that can enforce fine-grained authorization checks. 6. Educate development and security teams about the vulnerability to ensure awareness and prompt reporting of suspicious activity. 7. Review and audit all application metadata stored or accessible through Kiuwan SAST to identify and protect sensitive information that could be exposed.