Lucene search

K
githubGitHub Advisory DatabaseGHSA-RP7R-79RM-2758
HistoryMay 01, 2022 - 2:31 a.m.

Apache Derby exposes user and password attributes

2022-05-0102:31:27
CWE-200
GitHub Advisory Database
github.com
8
apache derby
sensitive information
cleartext
accsec command
databasemetadata
context-dependent attackers

CVSS2

5

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:L/Au:N/C:P/I:N/A:N

EPSS

0.001

Percentile

21.7%

Apache Derby before 10.1.2.1 exposes the (1) user and (2) password attributes in cleartext via (a) the RDBNAM parameter of the ACCSEC command and (b) the output of the DatabaseMetaData.getURL function, which allows context-dependent attackers to obtain sensitive information.

Affected configurations

Vulners
Node
org.apache.derby\Matchderby

CVSS2

5

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:L/Au:N/C:P/I:N/A:N

EPSS

0.001

Percentile

21.7%

Related for GHSA-RP7R-79RM-2758