Description

Apache Derby before 10.1.2.1 exposes the (1) user and (2) password attributes in cleartext via (a) the RDBNAM parameter of the ACCSEC command and (b) the output of the DatabaseMetaData.getURL function, which allows context-dependent attackers to obtain sensitive information.

Remediation

References

http://db.apache.org/derby/releases/release-10.1.2.1.html

http://issues.apache.org/jira/browse/DERBY-530

http://issues.apache.org/jira/browse/DERBY-559

Related Vulnerabilities

CVE-2020-36618 Vulnerability in npm package whois

CVE-2020-9480 Vulnerability in maven package org.apache.spark:spark-network-common_2.12

CVE-2016-1000341 Vulnerability in maven package org.bouncycastle:bcprov-jdk15on

CVE-2019-18212 Vulnerability in maven package org.lsp4xml:org.eclipse.lsp4xml.extensions.web

CVE-2008-5515 Vulnerability in maven package org.apache.tomcat:catalina

Severity

Critical

Classification

CWE-200

Tags

Patch