Vulnerabilities in ScrumWorks Basic Server
Several vulnerabilities in the ScrumWorks Basic Server can be exploited to reveal users' access credentials. For instance, names and passwords are transmitted to the server in plain text and are also stored in plain text on the server side. Both holes are documented in a CVE entry and the US-CERT has released an advisory about the issue. ScrumWorks, developed by CollabNet, is an agile management tool.
Developer David Elze, who discovered the holes, says that another hole he also documented is missing from the CVE entry. Apparently, the ScrumWorks server can be prompted to send to the client a comprehensive list of all users and their passwords as a compressed, unencrypted Java object via the ScrumWorks client's Team Manager feature. When asked by The H's associates at heise Security, Elze said he doesn't know why the problem wasn't included in the official CVE entry. The developer said that he had formulated it very clearly in the description he submitted.
According to Elze, the ScrumWorks Pro Server is unaffected and only responds with hashes (with Salt). The official solution to the problem appears to agree, as vendor CollabNet said to the US-CERT that in the basic version it intends to continue transmitting and storing the credentials in unencrypted form. CollabNet suggests that users either switch to the commercial ScrumWorks Pro to solve the problem, or increase the protection of their network infrastructure against unauthorised access.