Description

Apache Derby before 10.1.2.1 exposes the (1) user and (2) password attributes in cleartext via (a) the RDBNAM parameter of the ACCSEC command and (b) the output of the DatabaseMetaData.getURL function, which allows context-dependent attackers to obtain sensitive information.

Remediation

References

http://db.apache.org/derby/releases/release-10.1.2.1.html

http://issues.apache.org/jira/browse/DERBY-530

http://issues.apache.org/jira/browse/DERBY-559

Related Vulnerabilities

CVE-2021-46708 Vulnerability in maven package org.webjars:swagger-ui

CVE-2019-19919 Vulnerability in maven package li.rudin.mavenjs:handlebars

CVE-2021-41151 Vulnerability in npm package @backstage/plugin-scaffolder-backend

CVE-2021-21252 Vulnerability in maven package org.webjars:jquery-validation

CVE-2020-6836 Vulnerability in maven package org.webjars.npm:hot-formula-parser

Severity

Critical

Classification

CWE-200

Tags

Patch