315 – Insecure service configuration - CloudDB
Description
Sensitive information stored in the source code. It is determined that non-JSON Apache Lucene queries are enabled on the Cloudant database server.
Impact
Obtain information from the logs in the database, which in turn contain sensitive user data.
Recommendation
- Securely configure the vulnerable service so that it can only be accessed by authorized users. - Disable queries via Query Parser.
Threat
Authorized attacker using the credentials stored in the source code from the Internet.
Expected Remediation Time
Score 4.0
Default score using CVSS 4.0. It may change depending on the context of the src.
Base 4.0
- Attack vector: N
- Attack complexity: H
- Attack Requirements: N
- Privileges required: H
- User interaction: N
- Confidentiality (VC): H
- Integrity (VI): L
- Availability (VA): N
- Confidentiality (SC): N
- Integrity (SI): N
- Availability (SA): N
Threat 4.0
- Exploit maturity: X