Vulnerabilities > CVE-2013-3734 - Credentials Management vulnerability in Redhat Jboss Application Server 1.2
Attack vector
NETWORK Attack complexity
HIGH Privileges required
HIGH Confidentiality impact
HIGH Integrity impact
HIGH Availability impact
HIGH Summary
The Embedded Jopr component in JBoss Application Server includes the cleartext datasource password in unspecified HTML responses, which might allow (1) man-in-the-middle attackers to obtain sensitive information by leveraging failure to use SSL or (2) attackers to obtain sensitive information by reading the HTML source code. NOTE: the vendor says that this does not cross a trust boundary and that it is recommended best-practice that SSL is configured for the administrative console
Vulnerable Configurations
| Part | Description | Count |
|---|---|---|
| Application | 1 |
Common Weakness Enumeration (CWE)
Packetstorm
| data source | https://packetstormsecurity.com/files/download/121920/jbossadmin-disclose.txt |
| id | PACKETSTORM:121920 |
| last seen | 2016-12-05 |
| published | 2013-06-06 |
| reporter | amroot |
| source | https://packetstormsecurity.com/files/121920/JBoss-AS-Administrative-Console-Password-Disclosure.html |
| title | JBoss AS Administrative Console Password Disclosure |
Seebug
| bulletinFamily | exploit |
| description | CVE-2013-3734 Red Hat JBoss Application Server(也称WildFly)是美国红帽(Red Hat)公司的一款基于JavaEE的开源的应用服务器。具有启动超快、轻量、模块化设计、热部署和并行部署、简洁管理、域管理及第一类元件等特性 Red Hat JBoss Application Server 1.2及之前的版本中存在信息泄露漏洞。攻击者可利用该漏洞获得敏感信息,有助于发起进一步攻击。 0 Red Hat JBoss Application Server 目前厂商还没有提供此漏洞的相关补丁或者升级程序,建议使用此软件的用户随时关注厂商的主页以获取最新版本: http://www.redhat.com/ |
| id | SSV:60856 |
| last seen | 2017-11-19 |
| modified | 2013-06-26 |
| published | 2013-06-26 |
| reporter | Root |
| title | Red Hat JBoss Application Server 密码信息泄露漏洞(CVE-2013-3734) |