| Vulnerability Name: | CVE-2012-0034 (CCN-72350) | ||||||||||||
| Assigned: | 2011-12-30 | ||||||||||||
| Published: | 2011-12-30 | ||||||||||||
| Updated: | 2015-01-18 | ||||||||||||
| Summary: | The NonManagedConnectionFactory in JBoss Enterprise Application Platform (EAP) 5.1.2 and 5.2.0, Web Platform (EWP) 5.1.2 and 5.2.0, and BRMS Platform before 5.3.1 logs the username and password in cleartext when an exception is thrown, which allows local users to obtain sensitive information by reading the log file. Per http://rhn.redhat.com/errata/RHSA-2013-0192.html "This JBoss Enterprise Application Platform 5.2.0 release serves as a replacement for JBoss Enterprise Application Platform 5.1.2, and includes bug fixes and enhancements." Per http://rhn.redhat.com/errata/RHSA-2013-0196.html "This JBoss Enterprise Web Platform 5.2.0 release serves as a replacement for JBoss Enterprise Web Platform 5.1.2, and includes bug fixes and enhancements." | ||||||||||||
| CVSS v3 Severity: | 4.0 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)
| ||||||||||||
| CVSS v2 Severity: | 2.1 Low (CVSS v2 Vector: AV:L/AC:L/Au:N/C:P/I:N/A:N) 1.6 Low (Temporal CVSS v2 Vector: AV:L/AC:L/Au:N/C:P/I:N/A:N/E:U/RL:OF/RC:C)
1.6 Low (CCN Temporal CVSS v2 Vector: AV:L/AC:L/Au:N/C:P/I:N/A:N/E:U/RL:OF/RC:C)
| ||||||||||||
| Vulnerability Type: | CWE-255 | ||||||||||||
| Vulnerability Consequences: | Obtain Information | ||||||||||||
| References: | Source: MITRE Type: CNA CVE-2012-0034 Source: REDHAT Type: Vendor Advisory RHSA-2012:0108 Source: REDHAT Type: UNKNOWN RHSA-2012:1072 Source: CCN Type: RHSA-2013-0191 Important: JBoss Enterprise Application Platform 5.2.0 update Source: REDHAT Type: UNKNOWN RHSA-2013:0191 Source: CCN Type: RHSA-2013-0192 Important: JBoss Enterprise Application Platform 5.2.0 update Source: REDHAT Type: Vendor Advisory RHSA-2013:0192 Source: CCN Type: RHSA-2013-0193 Important: JBoss Enterprise Application Platform 5.2.0 update Source: REDHAT Type: UNKNOWN RHSA-2013:0193 Source: CCN Type: RHSA-2013-0195 Important: JBoss Enterprise Web Platform 5.2.0 update Source: REDHAT Type: Vendor Advisory RHSA-2013:0195 Source: CCN Type: RHSA-2013-0196 Important: JBoss Enterprise Web Platform 5.2.0 update Source: REDHAT Type: Vendor Advisory RHSA-2013:0196 Source: CCN Type: RHSA-2013-0197 Important: JBoss Enterprise Web Platform 5.2.0 update Source: REDHAT Type: Vendor Advisory RHSA-2013:0197 Source: REDHAT Type: UNKNOWN RHSA-2013:0221 Source: REDHAT Type: UNKNOWN RHSA-2013:0533 Source: CCN Type: SA47521 JBoss Cache NonManagedConnectionFactory Credentials Logging Weakness Source: SECUNIA Type: Vendor Advisory 51984 Source: SECUNIA Type: Vendor Advisory 52054 Source: OSVDB Type: UNKNOWN 78259 Source: CCN Type: OSVDB ID: 78259 JBoss Cache jboss/cache/loader/NonManagedConnectionFactory.java getConnection() Function Cleartext Credential Local Information Disclosure Source: BID Type: UNKNOWN 51392 Source: CCN Type: BID-51392 JBoss Cache 'NonManagedConnectionFactory.java' Local Information Disclosure Vulnerability Source: CCN Type: Red Hat Bugzilla Bug 772835 CVE-2012-0034 JBoss Cache: NonManagedConnectionFactory will log password in clear text when an exception occurs Source: MISC Type: UNKNOWN https://bugzilla.redhat.com/show_bug.cgi?id=772835 Source: XF Type: UNKNOWN jboss-cache-info-disclosure(72350) Source: CCN Type: JBCACHE-1612 JBoss Cache NonManagedConnectionFactory will log the password in clear text when an exception occurs Source: CONFIRM Type: UNKNOWN https://issues.jboss.org/browse/JBCACHE-1612 | ||||||||||||
| Vulnerable Configuration: | Configuration 1: Configuration 2: Configuration 3:  Denotes that component is vulnerable | ||||||||||||
| Oval Definitions | |||||||||||||
| |||||||||||||
| BACK | |||||||||||||