Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

Debezium UI 2.5 Credential Disclosure

🗓️ 24 May 2024 00:00:00Reported by Ihsan Cetin, Hamza Kaya ToprakType 
packetstorm
 packetstorm🔗 packetstormsecurity.com👁 404 Views

Debezium UI 2.5 Credential Leakage Vulnerabilit

Related
Code
ReporterTitlePublishedViews
Family
0day.today		Debezium UI 2.5 Credential Disclosure Vulnerability
28 May 202400:00
zdt
CNNVD		Debezium UI 安全漏洞
24 May 202400:00
cnnvd
CVE		CVE-2024-28736
31 May 202415:41
cve
Cvelist		CVE-2024-28736
31 May 202415:41
cvelist
EUVD		EUVD-2024-25825
3 Oct 202520:07
euvd
NVD		CVE-2024-28736
31 May 202416:15
nvd
Positive Technologies		PT-2024-22549 · Unknown · Debezium Community Debezium-Ui
31 May 202400:00
ptsecurity
RedhatCVE		CVE-2024-28736
14 Feb 202503:07
redhatcve
Vulnrichment		CVE-2024-28736
31 May 202415:41
vulnrichment
`# Exploit Title: Debezium UI - Credential Leakage  
  
# Google Dork: N/A  
  
# Date: [2024-03-11]  
  
# Exploit Author: Ihsan Cetin, Hamza Kaya Toprak  
  
# Vendor Homepage: https://debezium.io/  
  
# Software Link: N/A  
  
# Version: < 2.5 (REQUIRED)  
  
# Tested on: [N/A]  
  
# CVE : CVE-2024-28736  
  
Proof of concept:  
  
# Details  
  
#Debezium-ui (version 2.5) is vulnerable to a password exposure issue that could allow an attacker to retrieve sensitive credentials in plaintext format.  
  
# PoC :  
  
#Unmasked Password in Connector Configuration: When navigating to the connectors section within the application's connector screen, the password field, which should ideally be masked for security purposes, is briefly displayed in plaintext format during the initial seconds.  
  
# Plaintext Password Retrieval via API Endpoint: By accessing the URL  
  
http://10.0.15.51:8080//api/connectors/1/account-activity/config  
  
#and searching for the database.password parameter, an attacker can retrieve the database password in plaintext format without any authentication.  
  
  
  
  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
24 May 2024 00:00Current
7.4High risk
Vulners AI Score7.4
EPSS0.01285
debeziumcredential leakagepassword exposureplaintext retrievalapi endpointsecurity issue
404