Overview
Multiple critical and high severity vulnerabilities are found in all versions of HySecure & HyID gateway. This document provides details and mitigation methods for these vulnerabilities.
Advisory Details
Advisory ID | ASA-2023-0801 |
Issue Date | 2022-08-11 (YYYY-MM-DD) |
Severity | Critical |
CVE | N/A |
Vulnerability Details
All version of HySecure & HyID gateways are affected by following vulnerabilities:
- SQL injection vulnerabilities are detected in an API call that allows an unauthenticated user to inject arbitrary SQL commands.
- An unauthenticated user can exploit an XML external entity vulnerability to list out internal files of HySecure gateway.
Affected Products
All versions of HySecure and HyID gateways
Resolution
Accops has released the below hotfixes to remediate above mentioned security vulnerabilities. The hotfixes are available on HySecure Gateway versions 5.4 SP2 and 5.4 SP5 only. For other versions you need to upgrade to either of these two versions before you apply the security hotfix.
Applicable on HySecure & HyID Version | Details of the Fix |
5.4 Service Pack 2 only | The details of the hotfix including its download links are available at the following support article:
|
5.4 Service Pack 5 only | The details of the hotfix including its download links are available at the followinf support article: |
Contact
Please reach out to [email protected] if you have more questions about this update.