CVE-2023-35067 Infodrom Software CVE debrief

Who should care

Organizations running Infodrom E-Invoice Approval System, especially deployments still on versions earlier than v20230701. Security teams responsible for application binaries, release artifacts, and secret management should treat this as a credential exposure risk.

Technical summary

The vulnerability is described as plaintext storage of a password that enables read access to sensitive strings within an executable. NVD maps the issue to CVSS 3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N, indicating a remote, low-complexity disclosure problem with no integrity or availability impact. NVD also lists CWE-522 and the advisory reference lists CWE-256.

Defensive priority

High for any environment still running affected builds. The issue is easy to reach in principle, has no required privileges or user interaction, and can expose sensitive secrets embedded in software artifacts.

Recommended defensive actions

• Upgrade Infodrom E-Invoice Approval System to v20230701 or later.
• Inventory deployed instances and confirm which hosts still run pre-v20230701 builds.
• Treat any exposed password as compromised and rotate related credentials.
• Review build and packaging processes to ensure secrets are never embedded in executables or release artifacts.
• Scan internal binaries and artifact repositories for plaintext credentials as part of remediation validation.

Evidence notes

This debrief is based only on the supplied NVD CVE record and the linked USOM advisory. The NVD record states the affected range as before v20230701 and provides CVSS 3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N. The supplied metadata also lists secondary weakness mappings CWE-256 and CWE-522. No KEV entry was supplied.

Official resources