CVE-2025-3838 - Vulnerability Details - OpenCVE

An Improper Authorization vulnerability was identified in the EOL OVA based connect component which is deployed for installation purposes in the customer internal network. Under certain conditions, this could allow a bad actor to gain unauthorized access to the local db containing weakly hashed credentials of the installer. This EOL component was deprecated in September 2023 with end of support extended till January 2024.

Attack Vector Adjacent Network

Attack Complexity High

Privileges Required None

Attack Requirements Present

User Interaction None

Vulnerable System Confidentiality Impact Low

Vulnerable System Integrity Impact Low

Vulnerable System Availability Impact High

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Exploitation none

Automatable no

Technical Impact partial

No data.

No data.

No data.

References

Link	Providers
https://saviynt.com/trust-compliance-security

History

Mon, 21 Apr 2025 13:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Mon, 21 Apr 2025 09:45:00 +0000

Type	Values Removed	Values Added
Description		An Improper Authorization vulnerability was identified in the EOL OVA based connect component which is deployed for installation purposes in the customer internal network. Under certain conditions, this could allow a bad actor to gain unauthorized access to the local db containing weakly hashed credentials of the installer. This EOL component was deprecated in September 2023 with end of support extended till January 2024.
Title		Improper Authorization in the installer for the EOL OVA based connect component
Weaknesses		CWE-327 CWE-863
References		https://saviynt.com/trust-compliance-security
Metrics		cvssV4_0 `{'score': 6.1, 'vector': 'CVSS:4.0/AV:A/AC:H/AT:P/PR:N/UI:N/VC:L/VI:L/VA:H/SC:N/SI:N/SA:N'}`

MITRE

Status: PUBLISHED

Assigner: Saviynt

Published: 2025-04-21T09:33:33.390Z

Updated: 2025-04-21T12:47:37.813Z

Reserved: 2025-04-21T09:22:37.451Z

Link: CVE-2025-3838

Vulnrichment

Updated: 2025-04-21T12:47:00.795Z

NVD

Status : Awaiting Analysis

Published: 2025-04-21T10:15:15.493

Modified: 2025-04-21T14:23:45.950

Link: CVE-2025-3838

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2025-3838", "assignerOrgId": "bd8dbf88-98d9-42c6-be08-cf8e48a32093", "state": "PUBLISHED", "assignerShortName": "Saviynt", "dateReserved": "2025-04-21T09:22:37.451Z", "datePublished": "2025-04-21T09:33:33.390Z", "dateUpdated": "2025-04-21T12:47:37.813Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "packageName": "OVA based Connect", "platforms": ["Linux"], "product": "OVA based Connect", "vendor": "Saviynt", "versions": [{"status": "affected", "version": "AlmaLinux-8.x_SC2.0-Client-2.0"}, {"status": "affected", "version": "AlmaLinux-8.x_SC2.0-Client-3.0"}, {"status": "affected", "version": "CentOS-7.x_SC2.0-Client-2.0"}, {"status": "affected", "version": "CentOS-7.x_SC2.0-Client-3.0"}, {"status": "affected", "version": "RHEL-8.x_SC2.0-Client-2.0"}, {"status": "affected", "version": "RHEL-8.x_SC2.0-Client-3.0"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Achmea Security Assessment Team (SAT)"}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<p><span style=\"background-color: transparent;\">An Improper Authorization vulnerability was identified in the EOL OVA based connect component which is deployed for installation purposes in the customer internal network. </span><span style=\"background-color: transparent;\">Under certain conditions, this could allow a bad actor to gain unauthorized access to the local db containing weakly hashed credentials of the installer. </span><span style=\"background-color: transparent;\">This EOL component was deprecated in September 2023 with end of support extended till January 2024.</span></p>"}], "value": "An Improper Authorization vulnerability was identified in the EOL OVA based connect component which is deployed for installation purposes in the customer internal network. Under certain conditions, this could allow a bad actor to gain unauthorized access to the local db containing weakly hashed credentials of the installer. This EOL component was deprecated in September 2023 with end of support extended till January 2024."}], "metrics": [{"cvssV4_0": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "HIGH", "attackRequirements": "PRESENT", "attackVector": "ADJACENT", "baseScore": 6.1, "baseSeverity": "MEDIUM", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:A/AC:H/AT:P/PR:N/UI:N/VC:L/VI:L/VA:H/SC:N/SI:N/SA:N", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "LOW", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-863", "description": "CWE-863 Incorrect Authorization", "lang": "en", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-327", "description": "CWE-327 Use of a Broken or Risky Cryptographic Algorithm", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "bd8dbf88-98d9-42c6-be08-cf8e48a32093", "shortName": "Saviynt", "dateUpdated": "2025-04-21T09:33:33.390Z"}, "references": [{"url": "https://saviynt.com/trust-compliance-security"}], "solutions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<span style=\"background-color: transparent;\">Follow this documentation </span><a target=\"_blank\" rel=\"nofollow\" href=\"https://docs.saviyntcloud.com/bundle/Saviynt-Connect-20-Resources/page/Content/Saviynt-Connect-20-Client-Configurations.htm\"><span style=\"background-color: transparent;\">link</span></a><span style=\"background-color: transparent;\"> and migrate to the latest version of Saviynt Connect component</span><br>"}], "value": "Follow this documentation link https://docs.saviyntcloud.com/bundle/Saviynt-Connect-20-Resources/page/Content/Saviynt-Connect-20-Client-Configurations.htm \u00a0and migrate to the latest version of Saviynt Connect component"}], "source": {"discovery": "UNKNOWN"}, "title": "Improper Authorization in the installer for the EOL OVA based connect component", "x_generator": {"engine": "Vulnogram 0.2.0"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-04-21T12:46:52.331775Z", "id": "CVE-2025-3838", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-04-21T12:47:37.813Z"}}]}}

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2025-3838", "assignerOrgId": "bd8dbf88-98d9-42c6-be08-cf8e48a32093", "state": "PUBLISHED", "assignerShortName": "Saviynt", "dateReserved": "2025-04-21T09:22:37.451Z", "datePublished": "2025-04-21T09:33:33.390Z", "dateUpdated": "2025-04-21T12:47:37.813Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "packageName": "OVA based Connect", "platforms": ["Linux"], "product": "OVA based Connect", "vendor": "Saviynt", "versions": [{"status": "affected", "version": "AlmaLinux-8.x_SC2.0-Client-2.0"}, {"status": "affected", "version": "AlmaLinux-8.x_SC2.0-Client-3.0"}, {"status": "affected", "version": "CentOS-7.x_SC2.0-Client-2.0"}, {"status": "affected", "version": "CentOS-7.x_SC2.0-Client-3.0"}, {"status": "affected", "version": "RHEL-8.x_SC2.0-Client-2.0"}, {"status": "affected", "version": "RHEL-8.x_SC2.0-Client-3.0"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Achmea Security Assessment Team (SAT)"}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<p><span style=\"background-color: transparent;\">An Improper Authorization vulnerability was identified in the EOL OVA based connect component which is deployed for installation purposes in the customer internal network. </span><span style=\"background-color: transparent;\">Under certain conditions, this could allow a bad actor to gain unauthorized access to the local db containing weakly hashed credentials of the installer. </span><span style=\"background-color: transparent;\">This EOL component was deprecated in September 2023 with end of support extended till January 2024.</span></p>"}], "value": "An Improper Authorization vulnerability was identified in the EOL OVA based connect component which is deployed for installation purposes in the customer internal network. Under certain conditions, this could allow a bad actor to gain unauthorized access to the local db containing weakly hashed credentials of the installer. This EOL component was deprecated in September 2023 with end of support extended till January 2024."}], "metrics": [{"cvssV4_0": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "HIGH", "attackRequirements": "PRESENT", "attackVector": "ADJACENT", "baseScore": 6.1, "baseSeverity": "MEDIUM", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:A/AC:H/AT:P/PR:N/UI:N/VC:L/VI:L/VA:H/SC:N/SI:N/SA:N", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "LOW", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-863", "description": "CWE-863 Incorrect Authorization", "lang": "en", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-327", "description": "CWE-327 Use of a Broken or Risky Cryptographic Algorithm", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "bd8dbf88-98d9-42c6-be08-cf8e48a32093", "shortName": "Saviynt", "dateUpdated": "2025-04-21T09:33:33.390Z"}, "references": [{"url": "https://saviynt.com/trust-compliance-security"}], "solutions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<span style=\"background-color: transparent;\">Follow this documentation </span><a target=\"_blank\" rel=\"nofollow\" href=\"https://docs.saviyntcloud.com/bundle/Saviynt-Connect-20-Resources/page/Content/Saviynt-Connect-20-Client-Configurations.htm\"><span style=\"background-color: transparent;\">link</span></a><span style=\"background-color: transparent;\"> and migrate to the latest version of Saviynt Connect component</span><br>"}], "value": "Follow this documentation link https://docs.saviyntcloud.com/bundle/Saviynt-Connect-20-Resources/page/Content/Saviynt-Connect-20-Client-Configurations.htm \u00a0and migrate to the latest version of Saviynt Connect component"}], "source": {"discovery": "UNKNOWN"}, "title": "Improper Authorization in the installer for the EOL OVA based connect component", "x_generator": {"engine": "Vulnogram 0.2.0"}}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-3838", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-04-21T12:46:52.331775Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-04-21T12:47:00.795Z"}}]}}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "An Improper Authorization vulnerability was identified in the EOL OVA based connect component which is deployed for installation purposes in the customer internal network. Under certain conditions, this could allow a bad actor to gain unauthorized access to the local db containing weakly hashed credentials of the installer. This EOL component was deprecated in September 2023 with end of support extended till January 2024."}], "id": "CVE-2025-3838", "lastModified": "2025-04-21T14:23:45.950", "metrics": {"cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "HIGH", "attackRequirements": "PRESENT", "attackVector": "ADJACENT", "availabilityRequirement": "NOT_DEFINED", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:A/AC:H/AT:P/PR:N/UI:N/VC:L/VI:L/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "LOW", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "bd8dbf88-98d9-42c6-be08-cf8e48a32093", "type": "Secondary"}]}, "published": "2025-04-21T10:15:15.493", "references": [{"source": "bd8dbf88-98d9-42c6-be08-cf8e48a32093", "url": "https://saviynt.com/trust-compliance-security"}], "sourceIdentifier": "bd8dbf88-98d9-42c6-be08-cf8e48a32093", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-327"}, {"lang": "en", "value": "CWE-863"}], "source": "bd8dbf88-98d9-42c6-be08-cf8e48a32093", "type": "Secondary"}]}