#VU42006 Cryptographic issues in JBoss Enterprise Application Platform - CVE-2014-0058

Cybersecurity Help s.r.o.

Published: 2014-02-26 | Updated: 2020-08-10

Vulnerability identifier: #VU42006

Vulnerability risk: Low

CVSSv4.0: 1.2 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2014-0058

CWE-ID: CWE-310

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
JBoss Enterprise Application Platform
Server applications / Application servers

Vendor: Red Hat Inc.

Description

The vulnerability allows a remote non-authenticated attacker to gain access to sensitive information.

The security audit functionality in Red Hat JBoss Enterprise Application Platform (EAP) 6.x before 6.2.1 logs request parameters in plaintext, which might allow local users to obtain passwords by reading the log files.

Mitigation
Install update from vendor's website.

Vulnerable software versions

JBoss Enterprise Application Platform: 6.0.0 - 6.2.0

External links
https://rhn.redhat.com/errata/RHSA-2014-0204.html
https://rhn.redhat.com/errata/RHSA-2014-0205.html
https://rhn.redhat.com/errata/RHSA-2015-0034.html
https://www.securityfocus.com/bid/65762

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Cryptographic issues in JBoss Enterprise Application Platform