WAPPLES Web Application Firewall through 6.0 contains a hardcoded credentials vulnerability. It contains a hardcoded system account accessible via db/wp.no1, as configured in the /opt/penta/wapples/script/wcc_auto_scaling.py file. An attacker can use this account to access system configuration and confidential information, such as SSL keys, via an HTTPS request to the /webapi/ URI on port 443 or 5001.
View the template here CVE-2022-35413.yaml
References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-35413