CVE-2016-10103 Hiteksoftware CVE debrief

Who should care

Administrators and security teams running Hitek Software Automize 10.x or 11.x, especially environments where non-admin users can read Automize configuration files or profile data.

Technical summary

The vulnerable condition is a permissions problem in encryptionProfiles.jsd: the Read attribute is set for Users. The CVE states this permits recovery of encrypted passwords for GPG Encryption profiles. NVD marks the weakness under CWE-255 and CWE-326 and lists affected Automize versions through 10.25 and through 11.14 in its CPE criteria.

Defensive priority

High. This is a credential-exposure issue affecting encrypted password material, so exposure should be treated as sensitive even if the passwords are stored encrypted. Prioritize access review, version scoping, and rotation of any secrets that may have been exposed.

Recommended defensive actions

• Audit Automize deployments for versions 10.x up to 10.25 and 11.x up to 11.14.
• Restrict or remove user-level read access to encryptionProfiles.jsd and related Automize profile files.
• Treat any GPG Encryption profile passwords that may have been readable as potentially compromised and rotate them.
• Upgrade to a vendor-fixed release once identified; the supplied corpus does not include a fixed version.
• Review file and folder ACLs on the Automize host to ensure only required administrative principals can access sensitive configuration data.

Evidence notes

The CVE record was published on 2017-01-23 and later modified on 2026-05-13 per the supplied NVD data. The CVE description explicitly says information disclosure can occur in encryptionProfiles.jsd because the Read attribute is set for Users, enabling recovery of encrypted passwords for GPG Encryption profiles. NVD’s affected CPE criteria enumerate Automize 10.00 through 10.25 and 11.00 through 11.14 as vulnerable. The record also cites SecurityFocus BID 96850 and a third-party advisory at rastamouse.me/guff/2016/automize/.

Official resources