CVE-2013-3734 – JBoss AS Administrative Console Password Disclosure

https://notcve.org/view.php?id=CVE-2013-3734

The Embedded Jopr component in JBoss Application Server includes the cleartext datasource password in unspecified HTML responses, which might allow (1) man-in-the-middle attackers to obtain sensitive information by leveraging failure to use SSL or (2) attackers to obtain sensitive information by reading the HTML source code. NOTE: the vendor says that this does not cross a trust boundary and that it is recommended best-practice that SSL is configured for the administrative console **EN DISPUTA** El componente Embedded Jopr en JBoss Application Server incluye la contraseña del origen de datos en texto en claro en respuestas HTML no especificadas, lo que podría permitir (1) que atacantes Man-in-the-Middle (MitM) obtengan información sensible aprovechando que no se puede utilizar SSL o (2) que los atacantes obtengan información sensible leyendo el código fuente HTML. NOTA: el fabricante dice que no traspasa ningún límite de confianza y que el hecho de que el SSL esté configurado para la consola administrativa es una buena práctica recomendada. JBoss AS administration consoles versions prior to 1.2 re-embed password that are disclosed when viewing page source. This is an obvious poor security practice and the vendor has decided not to fix it, possibly due to lack of comprehending why it is a bad idea. • http://www.securityfocus.com/bid/60429 https://bugzilla.redhat.com/show_bug.cgi?id=971637 https://www.halock.com/blog/cve-2013-3734-jboss-administration-console-password-returned-response • CWE-255: Credentials Management Errors •