Home

Description

Insufficiently Protected Credentials vulnerability in Sparx Systems Pty Ltd. Sparx Enterprise Architect. Client reveals plaintext OAuth2 client secretDesktop client decodes the secret and uses the plaintext secret to exchange it into an access and id tokens as part of the OpenID authentication flow.

PUBLISHED Reserved 2026-04-09 | Published 2026-04-17 | Updated 2026-04-17 | Assigner NCSC-FI




MEDIUM: 6.2CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:H/SI:L/SA:N/S:P/AU:Y/V:C/RE:M/U:Red

Problem types

CWE-522: Insufficiently Protected Credentials

Product status

Default status
unknown

16.1.1627
affected

17.1.1714
unaffected

Credits

Pasi Orovuo, Solita Oy finder

Henri Hämäläinen, Solita Oy finder

Samu Ahvenainen, Solita Oy finder

References

sparxsystems.com/products/ea/17.1/history.html

cve.org (CVE-2025-15622)

nvd.nist.gov (CVE-2025-15622)

Download JSON