Vasion Print Hardcoded Encryption Private Key Vulnerability

A vulnerability exists in Vasion Print (formerly PrinterLogic) Virtual Appliance Host prior to version 25.1.102 and Application prior to version 25.1.1413. This vulnerability involves two hardcoded private keys stored in clear text within the application containers. The keys are located under the configuration directory and are used as symmetric secrets for AES-256-CBC encryption and decryption of the 'SaaS Id' through specific application methods. The hardcoded keys create a risk as any attacker who can access the Docker image or enumerate the filesystem can retrieve the encryption keys, potentially leading to unauthorized decryption of sensitive data.

Impact

Exploitation of this vulnerability allows for unauthorized access to the hardcoded private keys, which can be used to decrypt sensitive information, specifically the 'SaaS Id' associated with the application.

Remediation

Users can update to Vasion Print Virtual Appliance Host version 25.1.102 and Application version 25.1.1413 or later, where this vulnerability has been addressed.