CVE-2023-49113 identifies a critical security flaw in the Kiuwan SAST Local Analyzer, a Java-based static application security testing tool. The vulnerability arises from the presence of hard-coded secrets stored in plaintext within the application’s JAR files. Specifically, the file "InsightServicesConfig.properties" inside "lib.engine/insight/optimyth-insight.jar" contains GitHub credentials (username and password), with the username confirmed as a valid GitHub account. Additionally, the file "Encryptor.properties" in the same JAR holds the encryption key used to secure scan results. Because these secrets are embedded in the application without encryption or obfuscation, an attacker with local access and limited privileges can extract them by inspecting the JAR contents. This exposure can lead to unauthorized access to the GitHub account, potentially enabling further attacks such as code tampering or information leakage. Moreover, possession of the encryption key compromises the confidentiality and integrity of scan results, allowing attackers to decrypt or manipulate sensitive data. The vulnerability affects all versions of Kiuwan SAST Local Analyzer prior to master.1808.p685.q13371. The CVSS v3.1 score of 7.8 reflects high severity due to the high impact on confidentiality, integrity, and availability, combined with relatively low attack complexity and no requirement for user interaction. No known exploits are currently reported in the wild, but the risk remains significant given the nature of the exposed secrets.

For European organizations, this vulnerability poses a substantial risk to the security of their software development lifecycle. Kiuwan SAST is used to identify vulnerabilities in source code, and compromising its scan results can undermine trust in the security posture of applications under development. Exposure of GitHub credentials could lead to unauthorized repository access, enabling attackers to inject malicious code or exfiltrate intellectual property. The leakage of encryption keys further endangers the confidentiality and integrity of scan data, potentially allowing attackers to manipulate or disclose sensitive findings. This can result in delayed vulnerability remediation, increased risk of supply chain attacks, and regulatory compliance violations under frameworks such as GDPR. Organizations relying on Kiuwan SAST Local Analyzer for secure code analysis may face operational disruptions and reputational damage if this vulnerability is exploited.

Organizations should immediately assess their use of Kiuwan SAST Local Analyzer and identify affected versions. Since no official patch links are currently provided, users should contact Kiuwan support for guidance and prioritize upgrading to versions beyond master.1808.p685.q13371 once available. In the interim, restrict local access to systems running the analyzer to trusted personnel only, and monitor for unauthorized access attempts. Remove or rotate any exposed GitHub credentials and encryption keys to prevent misuse. Implement secure secret management practices by externalizing credentials from application binaries and using environment variables or dedicated secret vaults. Conduct regular audits of development tools for embedded secrets and enforce secure coding practices to avoid hard-coded sensitive information. Additionally, review and tighten permissions on repositories and scan result storage to minimize potential damage from credential compromise.