CVE-2012-0034

2013-02-0523:55:00

CWE-255

[email protected]

web.nvd.nist.gov

cve-2012-0034

nonmanagedconnectionfactory

jboss

eap

web platform

ewp

brms platform

cleartext

sensitive information

local users

log file

nvd

5.2 Medium

AI Score

Confidence

High

2.1 Low

CVSS2

Access Vector

LOCAL

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:L/AC:L/Au:N/C:P/I:N/A:N

0.0004 Low

EPSS

Percentile

9.3%

JSON

The NonManagedConnectionFactory in JBoss Enterprise Application Platform (EAP) 5.1.2 and 5.2.0, Web Platform (EWP) 5.1.2 and 5.2.0, and BRMS Platform before 5.3.1 logs the username and password in cleartext when an exception is thrown, which allows local users to obtain sensitive information by reading the log file.

CPENameOperatorVersion
redhat:jboss_enterprise_application_platformredhat jboss enterprise application platformeq5.1.2
redhat:jboss_enterprise_application_platformredhat jboss enterprise application platformeq5.2.0
redhat:jboss_enterprise_web_platformredhat jboss enterprise web platformeq5.2.0
redhat:jboss_enterprise_web_platformredhat jboss enterprise web platformeq5.1.2
redhat:jboss_enterprise_brms_platformredhat jboss enterprise brms platformle5.3.0

CPE	Name	Operator	Version
redhat:jboss_enterprise_application_platform	redhat jboss enterprise application platform	eq	5.1.2
redhat:jboss_enterprise_application_platform	redhat jboss enterprise application platform	eq	5.2.0
redhat:jboss_enterprise_web_platform	redhat jboss enterprise web platform	eq	5.2.0
redhat:jboss_enterprise_web_platform	redhat jboss enterprise web platform	eq	5.1.2
redhat:jboss_enterprise_brms_platform	redhat jboss enterprise brms platform	le	5.3.0