WAPPLES through 6.0 has a hardcoded systemi account...
Critical severity
Unreviewed
Published
Sep 14, 2022
to the GitHub Advisory Database
•
Updated Feb 3, 2023
Description
Published by the National Vulnerability Database
Sep 13, 2022
Published to the GitHub Advisory Database
Sep 14, 2022
Last updated
Feb 3, 2023
WAPPLES through 6.0 has a hardcoded systemi account accessible via db/wp.no1 (as configured in the /opt/penta/wapples/script/wcc_auto_scaling.py file). A threat actor could use this account to access the system configuration and confidential information (such as SSL keys) via an HTTPS request to the /webapi/ URI on port 443 or 5001.
References