PatchSiren cyber security CVE debrief
CVE-2016-10104 Hiteksoftware CVE debrief
CVE-2016-10104 affects Hitek Software Automize and can expose encrypted SSH/SFTP profile passwords through the sshProfiles.jsd file when the Read attribute is set for Users. The issue is documented as a medium-severity information disclosure and applies to Automize 10.x up to 10.25 and 11.x up to 11.14.
- Vendor
- Hiteksoftware
- Product
- CVE-2016-10104
- CVSS
- MEDIUM 5.9
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2017-01-23
- Original CVE updated
- 2026-05-13
- Advisory published
- 2017-01-23
- Advisory updated
- 2026-05-13
Who should care
Automize administrators, IT operations teams, and security teams responsible for systems that store SSH/SFTP profile credentials, especially where ordinary Users can read application files or shared configuration data.
Technical summary
The vulnerability is an information disclosure issue in sshProfiles.jsd. According to the CVE description, the Read attribute being set for Users allows an attacker to recover encrypted passwords for SSH/SFTP profiles. NVD maps the issue to CWE-326 and assigns CVSS 3.0 vector CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N, reflecting high confidentiality impact with no integrity or availability impact.
Defensive priority
High for any Automize deployment that stores SSH/SFTP credentials and exposes sshProfiles.jsd to non-administrative Users; otherwise medium overall in line with the published CVSS 5.9 rating.
Recommended defensive actions
- Review file and application permissions so sshProfiles.jsd and related profile data are not readable by ordinary Users.
- Restrict access to Automize installations that store SSH/SFTP credentials, especially in shared or multi-user environments.
- Inventory affected Automize versions in the 10.x and 11.x ranges listed by NVD and prioritize remediation there first.
- Rotate SSH/SFTP passwords after fixing access controls if there is any chance the encrypted credentials were exposed.
- Consult the vendor and advisory references for any available patched release or vendor guidance before restoring broad read access.
Evidence notes
All statements are grounded in the supplied CVE/NVD corpus. The CVE description states that sshProfiles.jsd can reveal encrypted SSH/SFTP profile passwords when Users have Read access. NVD marks the vulnerability as CVSS 5.9, CWE-326, and lists affected Automize 10.x versions through 10.25 and 11.x versions through 11.14. Timing context uses the CVE publication date of 2017-01-23; the 2026-05-13 modified date reflects record maintenance, not the original issue date.
Official resources
-
CVE-2016-10104 CVE record
CVE.org
-
CVE-2016-10104 NVD detail
NVD
-
Source item URL
nvd_modified
- Source reference
-
Mitigation or vendor reference
[email protected] - Third Party Advisory
Publicly disclosed in the CVE/NVD record on 2017-01-23, with supporting references including SecurityFocus BID 96845 and a third-party advisory by rastamouse.me.