Use of Hard-coded Cryptographic Key in leantime/leantime


Reported on

Sep 2nd 2021

✍️ Description

In the source code of the application, the Secret Hash value and the initialization vector is being hardcoded.

🕵️‍♂️ Proof of Concept

In the following code snippet, we can see the hard-coded secret hash and IV.

private $encryptionMethod = 'AES-256-CBC';

        private $secrethash = 'z5xXjI?maCHMGXW2neV8?0T<uD&<N4$j!K/W$V8(q~';

        private $iv = '123';

        function __construct()

In the following snippet, we can see that these values are being used.

      $returnValues = array();
            foreach($values as $value) {
                $value['name'] = openssl_decrypt($value['name'], $this->encryptionMethod, $this->secrethash);
                $value['username'] = openssl_decrypt($value['username'], $this->encryptionMethod, $this->secrethash);
                $value['password'] = openssl_decrypt($value['password'], $this->encryptionMethod, $this->secrethash);
                $value['host'] = openssl_decrypt($value['host'], $this->encryptionMethod, $this->secrethash);
                $value['kind'] = openssl_decrypt($value['kind'], $this->encryptionMethod, $this->secrethash);
                $returnValues[] = $value;

            return $returnValues;

💥 Impact

When a malicious actor has access to the database, with the hard-coded secret and IV can decrypt the data found in the DB.

We have contacted a member of the leantime team and are waiting to hear back 2 years ago
Marcel Folaron validated this vulnerability 2 years ago
TheLabda has been awarded the disclosure bounty
The fix bounty is now up for grabs
Marcel Folaron marked this as fixed in 2.1.9 with commit c204bc a year ago
Marcel Folaron has been awarded the fix bounty
This vulnerability will not receive a CVE
to join this conversation