logo

Database

Enabled default credentials In vantage6

Description

Vantage6: Set admin user and password from environment or configuration

Impact

Vantage6 currently provides an initial user with username root and password root. This is not ideal for the following reasons:

    Attackers know that almost all vantage6 servers have a user with username root that probably has admin rights

    The initial password is very weak and it is possible that administrators forget to reset it.

Patches

No

Workarounds

It is possible to delete the root user after it has been used to create other users

References

We could consider doing this like mongodb

Additional info

Luis uses the following patch to mitigate it:

diff --git a/vantage6-server/vantage6/server/__init__.py b/vantage6-server/vantage6/server/__init__.py
index ea362c1e..c6dcbbd9 100644
--- a/vantage6-server/vantage6/server/__init__.py
+++ b/vantage6-server/vantage6/server/__init__.py
@@ -618,18 +618,30 @@ class ServerApp:
             # TODO use constant instead of 'Root' literal
             root = db.Role.get_by_name("Root")
 ...

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem
Package
Affected version
Patched versions

Aliases

1. GHSA-fgmc-2hqj-86v42. GCVE-GHSA-fgmc-2hqj-86v4

References

1. https://github.com/vantage6/vantage6/security/advisories/GHSA-fgmc-2hqj-86v42. https://github.com/vantage6/vantage6/issues/1932

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.