CVE-2020-35992: 
NixOS vulnerability analysis and mitigation

Fiserv Prologue through 2020-12-16 contains a vulnerability related to improper protection of database passwords. The vulnerability, identified as CVE-2020-35992, allows attackers who gain access to the configuration file (specifically, the LogPassword attribute within appconfig.ini) to decrypt stored database passwords due to the use of a static encryption key across all installations (NVD, PrologueDecrypt).

The vulnerability has been assigned a CVSS v3.1 Base Score of 6.5 (MEDIUM) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N. The technical issue stems from Fiserv Prologue's implementation of password encryption using a static encryption key that is consistent across all installations, making it possible to decrypt database passwords stored in configuration files (NVD).

If successfully exploited, this vulnerability would allow attackers to obtain cleartext credentials for the database, potentially exposing financial records of customers stored within the database. In some cases, the compromised credentials could also enable remote login to the database (NVD).

The vulnerability affects versions of Fiserv Prologue through December 16, 2020. Organizations using Fiserv Prologue should ensure they are running a version newer than the affected date (NVD).