CVE-2005-4849
Summary
| CVE | CVE-2005-4849 |
|---|---|
| State | PUBLIC |
| Assigner | [email protected] |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2005-12-31 05:00:00 UTC |
| Updated | 2008-09-05 04:00:00 UTC |
| Description | Apache Derby before 10.1.2.1 exposes the (1) user and (2) password attributes in cleartext via (a) the RDBNAM parameter of the ACCSEC command and (b) the output of the DatabaseMetaData.getURL function, which allows context-dependent attackers to obtain sensitive information. |
Risk And Classification
Problem Types: CWE-200
NVD Known Affected Configurations (CPE 2.3)
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| Apache Derby 10.1.2.1 Release | CONFIRM | db.apache.org | Patch |
| [#DERBY-530] ClientDriver ignores Properties object in connect(String url, Properties connectionProperties) method - ASF JIRA | CONFIRM | issues.apache.org | |
| [#DERBY-559] With Network Client, user and password attriubtes specified in the url should not be sent to hte server with the RDBNAM or print with getURL - ASF JIRA | CONFIRM | issues.apache.org | |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
No vendor comments have been submitted for this CVE.
There are currently no legacy QID mappings associated with this CVE.