2262060 – (CVE-2024-1102) CVE-2024-1102 jberet: jberet-core logging database credentials

Bug 2262060 (CVE-2024-1102) - CVE-2024-1102 jberet: jberet-core logging database credentials

Summary: CVE-2024-1102 jberet: jberet-core logging database credentials

Keywords:
Status:	NEW
Alias:	CVE-2024-1102
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	2262063
TreeView+	depends on / blocked

Reported:	2024-01-31 08:01 UTC by Rohit Keshri
Modified:	2024-05-15 07:36 UTC (History)
CC List:	37 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:	A vulnerability was found in jberet-core logging. An exception in 'dbProperties' might display user credentials such as the username and password for the database-connection.
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description Rohit Keshri 2024-01-31 08:01:33 UTC

When the database connection to the job-repository cannot be established (using the JdbcRepository), then an exception is thrown. The exception message is constructed using the 'dbProperties'. The 'dbProperties' might contain username and password for the database-connection.Therefore, database-credentails might be logged unobfuscated as plain text to the console and are visible for everyone that has access to it - which might be a security risk.

Refer:
https://github.com/jberet/jsr352/issues/452

Note You need to log in before you can comment on or make changes to this bug.

aileenc
asoldano
bbaranow
bmaxwell
boliveir
brian.stansberry
cdewolf
chazlett
darran.lofthouse
dkreling
dosoudil
dpalmer
drichtar
fjuma
gmalinko
ivassile
iweiss
janstey
lgao
mosmerov
msochure
mstefank
msvehla
mulliken
nwallace
pdelbell
pdrozd
peholase
pjindal
pmackay
pskopek
rowaters
rstancel
security-response-team
smaestri
sthorger
tom.jenkinson