Description

Apache Derby before 10.1.2.1 exposes the (1) user and (2) password attributes in cleartext via (a) the RDBNAM parameter of the ACCSEC command and (b) the output of the DatabaseMetaData.getURL function, which allows context-dependent attackers to obtain sensitive information.

Remediation

References

http://db.apache.org/derby/releases/release-10.1.2.1.html

http://issues.apache.org/jira/browse/DERBY-530

http://issues.apache.org/jira/browse/DERBY-559

Related Vulnerabilities

CVE-2023-6293 Vulnerability in npm package sequelize-typescript

CVE-2018-16153 Vulnerability in maven package org.opencastproject:opencast-common

CVE-2016-5019 Vulnerability in maven package org.apache.myfaces.trinidad:trinidad-impl

CVE-2022-2216 Vulnerability in npm package parse-url

CVE-2021-23566 Vulnerability in npm package nanoid

Severity

Critical

Classification

CWE-200

Tags

Patch