Sybase EAServer J2EE Application Clients and Java GUI Applications Password Disclosure Vulnerability

Bugtraq ID:	18036
Class:	Access Validation Error
CVE:
Remote:	No
Local:	Yes
Published:	Apr 13 2006 12:00AM
Updated:	May 19 2006 11:13PM
Credit:	Announced by the vendor.
Vulnerable:	Sybase Enterprise Application Server 5.2 Sybase Enterprise Application Server 5.0 Sybase Enterprise Application Server 5.3
Not Vulnerable:

Sybase EAServer J2EE Application Clients and Java GUI Applications Password Disclosure Vulnerability

Sybase EAServer may expose passwords through GUI applications. A local user could exploit this vulnerability to view another user's password.

EAServer versions 5.0, 5.2 and 5.3 are vulnerable to this issue.

This issue affects users who develop and deploy their own GUI applications using J2EE Application Clients and Java GUI applications with EAServer. GUI applications built by other vendors may also be affected.

Sybase EAServer J2EE Application Clients and Java GUI Applications Password Disclosure Vulnerability

Currently we are not aware of any exploits for this issue. If you feel we are in error or are aware of more recent information, please mail us at: [email protected]

Sybase EAServer J2EE Application Clients and Java GUI Applications Password Disclosure Vulnerability

Solution:
Fixes are available. Contact the vendor for further information.

Sybase EAServer J2EE Application Clients and Java GUI Applications Password Disclosure Vulnerability

References:

• Sybase Homepage (Sybase)
  
• Urgent from Sybase: Possible security vulnerability using password fields in J2E (Sybase)