Description

Apache Derby before 10.1.2.1 exposes the (1) user and (2) password attributes in cleartext via (a) the RDBNAM parameter of the ACCSEC command and (b) the output of the DatabaseMetaData.getURL function, which allows context-dependent attackers to obtain sensitive information.

Remediation

References

http://db.apache.org/derby/releases/release-10.1.2.1.html

http://issues.apache.org/jira/browse/DERBY-530

http://issues.apache.org/jira/browse/DERBY-559

Related Vulnerabilities

CVE-2016-4800 Vulnerability in maven package org.eclipse.jetty:jetty-util

CVE-2016-2510 Vulnerability in maven package org.apache-extras.beanshell:bsh

CVE-2022-2216 Vulnerability in maven package org.webjars.npm:parse-url

CVE-2021-26117 Vulnerability in maven package org.apache.activemq:activemq-jaas

CVE-2021-43138 Vulnerability in maven package org.webjars:async

Severity

Critical

Classification

CWE-200

Tags

Patch