EUVD-2025-209514
GHSA-9gf7-444h-6v98
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:P/AU:Y/R:X/V:C/RE:M/U:Red
Lifecycle Timeline
4DescriptionNVD
Plaintext Storage of a Password vulnerability in Sparx Systems Pty Ltd. Sparx Pro Cloud Server. In a setup where OpenID is used as the primary method of authentication to authenticate to Sparx EA, Pro Cloud Server creates local passwords to the users and stores them in plaintext.
AnalysisAI
Sparx Pro Cloud Server 6.0.163 stores user passwords in plaintext when OpenID authentication is configured, allowing remote unauthenticated attackers to extract credentials with network access to the backend database or file system. CVSS 9.3 (Critical) reflects network-accessible plaintext credential exposure. EPSS score of 0.05% (15th percentile) indicates low probability of widespread exploitation despite severity. No active exploitation confirmed (not in CISA KEV), but SSVC classifies as automatable with total technical impact. Vendor has released version 6.1 with fix per change history.
Technical ContextAI
CWE-256 (Plaintext Storage of a Password) occurs when authentication systems fail to use cryptographic hashing or encryption for stored credentials. Sparx Pro Cloud Server is an enterprise architecture modeling collaboration platform. When configured with OpenID Connect as the primary authentication mechanism, the affected version (6.0.163) creates local user accounts as a fallback or synchronization mechanism but stores these passwords in plaintext rather than using salted hashes (bcrypt, PBKDF2, Argon2, etc.). The CVSS 4.0 vector indicates network attack vector (AV:N), low complexity (AC:L), no required privileges (PR:N), confirming that any attacker with network access to the storage location (database server, backup files, or configuration directories) can read credentials directly without cryptographic barriers. This affects cpe:2.3:a:sparx_systems_pty_ltd.:sparx_pro_cloud_server specifically version 6.0.163 per EUVD data.
RemediationAI
Upgrade immediately to Sparx Pro Cloud Server version 6.1 or later, which addresses this vulnerability per vendor release history at https://sparxsystems.com/products/procloudserver/6.1/history.html. Post-upgrade, force password resets for all local user accounts created during the vulnerable period, as plaintext credentials may have been logged, backed up, or cached. If immediate patching is not feasible, implement compensating controls: restrict network access to backend database and configuration storage using firewall rules limited to application server IP addresses only (eliminates remote attack vector but does not protect against local threats or compromised app servers); enable database-level encryption at rest with key management separated from application servers (adds cryptographic barrier but keys may be accessible to compromised systems); implement file integrity monitoring on password storage locations with alerting on unauthorized access (detection only, does not prevent exposure); and disable local account creation by enforcing pure federated authentication without local fallback (may break disaster recovery access - document break-glass procedures). Note that compensating controls do not eliminate the plaintext storage vulnerability and should only be temporary measures pending upgrade.
Share
External POC / Exploit Code
Leaving vuln.today