Primary

Context

Running-Elephant Datart Hard-Coded Cryptographic Key Vulnerability in AES Utility

Vulnerability

A vulnerability exists in Running-Elephant Datart versions up to 1.0.0-rc3, specifically within the API component. The issue arises in the 'getTokensecret' function of 'AESUtil.java', where a hard-coded cryptographic key is used. This vulnerability can be exploited remotely, although the exploitation is considered difficult due to the high complexity of the attack.

Impact

The vulnerability allows for the use of a hard-coded cryptographic key, which can lead to the recovery of encrypted data. In this case, the default AES key can be used to decrypt database passwords, exposing them in plaintext.

Reproduction

To reproduce this vulnerability, log into the application as a regular user and access database-related features. The response will include the database username in plaintext and the password encrypted with AES. If the default AES key has not been changed, this ciphertext can be decrypted to reveal the password in plaintext.

Added: Sep 8, 2025, 4:18 AM

Updated: Sep 8, 2025, 4:18 AM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

2.5

exploitability

8.7

remediation

0.0

relevance

0.5

threat

6.4

urgency

2.9

incentive

5.8

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

2.5

exploitability

8.7

remediation

0.0

relevance

0.5

threat

6.4

urgency

2.9

incentive

5.8

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Running-Elephant Datart Hard-Coded Cryptographic Key Vulnerability in AES Utility

Vulnerability

Impact

Reproduction

Affected Products

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating