Overview

Multiple critical and high severity vulnerabilities are found in all versions of HySecure & HyID gateway. This document provides details and mitigation methods for these vulnerabilities.

 

Advisory Details   

 

Advisory ID 

ASA-2023-0801 

Issue Date 

2022-08-11 (YYYY-MM-DD)  

Severity 

Critical 

CVE 

N/A

 

 

Vulnerability Details 

All version of HySecure & HyID gateways are affected by following vulnerabilities: 

  1. SQL injection vulnerabilities are detected in an API call that allows an unauthenticated user to inject arbitrary SQL commands. 
  2. An unauthenticated user can exploit an XML external entity vulnerability to list out internal files of HySecure gateway.

 

Affected Products

All versions of HySecure and HyID gateways

  

Resolution 

Accops has released the below hotfixes to remediate above mentioned security vulnerabilities. The hotfixes are available on HySecure Gateway versions 5.4 SP2 and 5.4 SP5 only. For other versions you need to upgrade to either of these two versions before you apply the security hotfix.


Applicable on HySecure & HyID Version 

Details of the Fix 

5.4 Service Pack 2 only

The details of the hotfix including its download links are available at the following support article:

HYSECURE-5.4SP2-SHF232408  

   

5.4 Service Pack 5 only

The details of the hotfix including its download links are available at the followinf support article:

HYSECURE-5.4SP5-SHF232208 


 

Contact 

Please reach out to support@accops.com if you have more questions about this update.