Lucene search

GitHub Advisory DatabaseGHSA-RP7R-79RM-2758

HistoryMay 01, 2022 - 2:31 a.m.

Apache Derby exposes user and password attributes

2022-05-0102:31:27

CWE-200

GitHub Advisory Database

github.com

apache derby

sensitive information

cleartext

accsec command

databasemetadata

context-dependent attackers

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:L/Au:N/C:P/I:N/A:N

EPSS

0.001

Percentile

21.7%

JSON

Apache Derby before 10.1.2.1 exposes the (1) user and (2) password attributes in cleartext via (a) the RDBNAM parameter of the ACCSEC command and (b) the output of the DatabaseMetaData.getURL function, which allows context-dependent attackers to obtain sensitive information.

Affected configurations

Vulners

Node

org.apache.derby\Matchderby

References

db.apache.org/derby/releases/release-10.1.2.1.html

issues.apache.org/jira/browse/DERBY-530

issues.apache.org/jira/browse/DERBY-559

svn.apache.org/viewvc?view=revision&revision=289672

github.com/advisories/GHSA-rp7r-79rm-2758

github.com/apache/derby/commit/09a7325f75a4f96a7735e46c9723930f88ea2613

github.com/apache/derby/commit/82d721fd53e30dbb86d6d742c085030985091968

github.com/apache/derby/commit/fd24a7590ff5426bac68303fbeca07dbc5067412

nvd.nist.gov/vuln/detail/CVE-2005-4849

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:L/Au:N/C:P/I:N/A:N

EPSS

0.001

Percentile

21.7%

JSON

Related for GHSA-RP7R-79RM-2758