Description

Apache Derby before 10.1.2.1 exposes the (1) user and (2) password attributes in cleartext via (a) the RDBNAM parameter of the ACCSEC command and (b) the output of the DatabaseMetaData.getURL function, which allows context-dependent attackers to obtain sensitive information.

Remediation

References

http://db.apache.org/derby/releases/release-10.1.2.1.html

http://issues.apache.org/jira/browse/DERBY-530

http://issues.apache.org/jira/browse/DERBY-559

Related Vulnerabilities

CVE-2022-41965 Vulnerability in maven package org.opencastproject:opencast-engage-paella-player

CVE-2023-38704 Vulnerability in npm package import-in-the-middle

CVE-2020-26272 Vulnerability in maven package org.webjars.npm:electron

CVE-2013-6447 Vulnerability in maven package org.jboss.seam:jboss-seam-remoting

CVE-2021-21141 Vulnerability in maven package org.webjars.npm:electron

Severity

Critical

Classification

CWE-200

Tags

Patch