{"api_version":"1","generated_at":"2026-04-23T01:18:20+00:00","cve":"CVE-2005-4849","urls":{"html":"https://cve.report/CVE-2005-4849","api":"https://cve.report/api/cve/CVE-2005-4849.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2005-4849","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2005-4849"},"summary":{"title":"CVE-2005-4849","description":"Apache Derby before 10.1.2.1 exposes the (1) user and (2) password attributes in cleartext via (a) the RDBNAM parameter of the ACCSEC command and (b) the output of the DatabaseMetaData.getURL function, which allows context-dependent attackers to obtain sensitive information.","state":"PUBLISHED","assigner":"mitre","published_at":"2005-12-31 05:00:00","updated_at":"2025-04-03 01:03:51"},"problem_types":["CWE-200","n/a"],"metrics":[{"version":"2.0","source":"nvd@nist.gov","type":"Primary","score":"5","severity":"","vector":"AV:N/AC:L/Au:N/C:P/I:N/A:N","data":{"version":"2.0","vectorString":"AV:N/AC:L/Au:N/C:P/I:N/A:N","baseScore":5,"accessVector":"NETWORK","accessComplexity":"LOW","authentication":"NONE","confidentialityImpact":"PARTIAL","integrityImpact":"NONE","availabilityImpact":"NONE"}}],"references":[{"url":"http://issues.apache.org/jira/browse/DERBY-559","name":"http://issues.apache.org/jira/browse/DERBY-559","refsource":"af854a3a-2127-422b-91ae-364da2661108","tags":[],"title":"[#DERBY-559] With Network Client, user and password attriubtes specified in the url should not  be sent to hte server with the RDBNAM or print with getURL - ASF JIRA","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"http://issues.apache.org/jira/browse/DERBY-530","name":"http://issues.apache.org/jira/browse/DERBY-530","refsource":"af854a3a-2127-422b-91ae-364da2661108","tags":[],"title":"[#DERBY-530] ClientDriver ignores Properties object in connect(String url, Properties connectionProperties) method - ASF JIRA","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"http://db.apache.org/derby/releases/release-10.1.2.1.html","name":"http://db.apache.org/derby/releases/release-10.1.2.1.html","refsource":"af854a3a-2127-422b-91ae-364da2661108","tags":["Patch"],"title":"Apache Derby 10.1.2.1 Release","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://www.cve.org/CVERecord?id=CVE-2005-4849","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2005-4849","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[{"source":"CNA","vendor":"n/a","product":"n/a","version":"affected n/a","platforms":[]}],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[{"cve_year":"2005","cve_id":"4849","vulnerable":"1","versionEndIncluding":"10.1.1.0","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"apache","cpe5":"derby","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"}],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[]},"source_records":{"cve_program":{"containers":{"adp":[{"providerMetadata":{"dateUpdated":"2024-08-08T00:01:23.523Z","orgId":"af854a3a-2127-422b-91ae-364da2661108","shortName":"CVE"},"references":[{"tags":["x_refsource_CONFIRM","x_transferred"],"url":"http://issues.apache.org/jira/browse/DERBY-559"},{"tags":["x_refsource_CONFIRM","x_transferred"],"url":"http://issues.apache.org/jira/browse/DERBY-530"},{"tags":["x_refsource_CONFIRM","x_transferred"],"url":"http://db.apache.org/derby/releases/release-10.1.2.1.html"}],"title":"CVE Program Container"}],"cna":{"affected":[{"product":"n/a","vendor":"n/a","versions":[{"status":"affected","version":"n/a"}]}],"descriptions":[{"lang":"en","value":"Apache Derby before 10.1.2.1 exposes the (1) user and (2) password attributes in cleartext via (a) the RDBNAM parameter of the ACCSEC command and (b) the output of the DatabaseMetaData.getURL function, which allows context-dependent attackers to obtain sensitive information."}],"problemTypes":[{"descriptions":[{"description":"n/a","lang":"en","type":"text"}]}],"providerMetadata":{"dateUpdated":"2007-07-05T20:00:00.000Z","orgId":"8254265b-2729-46b6-b9e3-3dfca2d5bfca","shortName":"mitre"},"references":[{"tags":["x_refsource_CONFIRM"],"url":"http://issues.apache.org/jira/browse/DERBY-559"},{"tags":["x_refsource_CONFIRM"],"url":"http://issues.apache.org/jira/browse/DERBY-530"},{"tags":["x_refsource_CONFIRM"],"url":"http://db.apache.org/derby/releases/release-10.1.2.1.html"}],"x_legacyV4Record":{"CVE_data_meta":{"ASSIGNER":"cve@mitre.org","ID":"CVE-2005-4849","STATE":"PUBLIC"},"affects":{"vendor":{"vendor_data":[{"product":{"product_data":[{"product_name":"n/a","version":{"version_data":[{"version_value":"n/a"}]}}]},"vendor_name":"n/a"}]}},"data_format":"MITRE","data_type":"CVE","data_version":"4.0","description":{"description_data":[{"lang":"eng","value":"Apache Derby before 10.1.2.1 exposes the (1) user and (2) password attributes in cleartext via (a) the RDBNAM parameter of the ACCSEC command and (b) the output of the DatabaseMetaData.getURL function, which allows context-dependent attackers to obtain sensitive information."}]},"problemtype":{"problemtype_data":[{"description":[{"lang":"eng","value":"n/a"}]}]},"references":{"reference_data":[{"name":"http://issues.apache.org/jira/browse/DERBY-559","refsource":"CONFIRM","url":"http://issues.apache.org/jira/browse/DERBY-559"},{"name":"http://issues.apache.org/jira/browse/DERBY-530","refsource":"CONFIRM","url":"http://issues.apache.org/jira/browse/DERBY-530"},{"name":"http://db.apache.org/derby/releases/release-10.1.2.1.html","refsource":"CONFIRM","url":"http://db.apache.org/derby/releases/release-10.1.2.1.html"}]}}}},"cveMetadata":{"assignerOrgId":"8254265b-2729-46b6-b9e3-3dfca2d5bfca","assignerShortName":"mitre","cveId":"CVE-2005-4849","datePublished":"2007-07-05T20:00:00.000Z","dateReserved":"2007-07-05T00:00:00.000Z","dateUpdated":"2024-09-16T23:56:48.968Z","state":"PUBLISHED"},"dataType":"CVE_RECORD","dataVersion":"5.1"},"nvd":{"publishedDate":"2005-12-31 05:00:00","lastModifiedDate":"2025-04-03 01:03:51","problem_types":["CWE-200","n/a"],"metrics":{"cvssMetricV2":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"2.0","vectorString":"AV:N/AC:L/Au:N/C:P/I:N/A:N","baseScore":5,"accessVector":"NETWORK","accessComplexity":"LOW","authentication":"NONE","confidentialityImpact":"PARTIAL","integrityImpact":"NONE","availabilityImpact":"NONE"},"baseSeverity":"MEDIUM","exploitabilityScore":10,"impactScore":2.9,"acInsufInfo":false,"obtainAllPrivilege":false,"obtainUserPrivilege":false,"obtainOtherPrivilege":false,"userInteractionRequired":false}]},"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:apache:derby:*:*:*:*:*:*:*:*","versionEndIncluding":"10.1.1.0","matchCriteriaId":"CC38C5D7-D8E5-4C7E-A047-65AF50FB3110"}]}]}]},"legacy_mitre":{"record":{"CveYear":"2005","CveId":"4849","Ordinal":"1","Title":"CVE-2005-4849","CVE":"CVE-2005-4849","Year":"2005"},"notes":[{"CveYear":"2005","CveId":"4849","Ordinal":"1","NoteData":"Apache Derby before 10.1.2.1 exposes the (1) user and (2) password attributes in cleartext via (a) the RDBNAM parameter of the ACCSEC command and (b) the output of the DatabaseMetaData.getURL function, which allows context-dependent attackers to obtain sensitive information.","Type":"Description","Title":"CVE-2005-4849"},{"CveYear":"2005","CveId":"4849","Ordinal":"2","NoteData":"2007-07-05","Type":"Other","Title":"Published"}]}}}