CVE-2020-25640

A flaw was discovered in WildFly before 21.0.0.Final where, Resource adapter logs plain text JMS password at warning level on connection error, inserting sensitive information in the log file.

CVSS v3 5.3 MEDIUM
CVSS v2.0 3.5 LOW

5.3^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 1.6 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity HIGH

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

3.5^/10

CVSS v2.0 : LOW

Vector : AV:N/AC:M/Au:S/C:P/I:N/A:N

Exploitability : 6.8 / Impact : 2.9

Access Vector NETWORK

Access Complexity MEDIUM

Authentication SINGLE

Confidentiality Impact PARTIAL

Integrity Impact NONE

Availability Impact NONE

References

Link	Resource
https://bugzilla.redhat.com/show_bug.cgi?id=1881637	Issue Tracking Vendor Advisory
https://github.com/amqphub/amqp-10-resource-adapter/issues/13	Third Party Advisory
https://security.netapp.com/advisory/ntap-20201210-0001/	Third Party Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:redhat:wildfly:*:*:*:*:*:*:*:*

History

No history.

Information

Published : 2020-11-24 19:15

Updated : 2023-12-10 13:41

NVD link : CVE-2020-25640

Mitre link : CVE-2020-25640

CVE.ORG link : CVE-2020-25640

JSON object : View

Products Affected

redhat

wildfly

CWE

CWE-532

Insertion of Sensitive Information into Log File

CWE-209

Generation of Error Message Containing Sensitive Information

{"id": "CVE-2020-25640", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 3.5, "accessVector": "NETWORK", "vectorString": "AV:N/AC:M/Au:S/C:P/I:N/A:N", "authentication": "SINGLE", "integrityImpact": "NONE", "accessComplexity": "MEDIUM", "availabilityImpact": "NONE", "confidentialityImpact": "PARTIAL"}, "acInsufInfo": false, "impactScore": 2.9, "baseSeverity": "LOW", "obtainAllPrivilege": false, "exploitabilityScore": 6.8, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 3.6, "exploitabilityScore": 1.6}]}, "published": "2020-11-24T19:15:10.633", "references": [{"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1881637", "tags": ["Issue Tracking", "Vendor Advisory"], "source": "secalert@redhat.com"}, {"url": "https://github.com/amqphub/amqp-10-resource-adapter/issues/13", "tags": ["Third Party Advisory"], "source": "secalert@redhat.com"}, {"url": "https://security.netapp.com/advisory/ntap-20201210-0001/", "tags": ["Third Party Advisory"], "source": "secalert@redhat.com"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-532"}]}, {"type": "Secondary", "source": "secalert@redhat.com", "description": [{"lang": "en", "value": "CWE-209"}]}], "descriptions": [{"lang": "en", "value": "A flaw was discovered in WildFly before 21.0.0.Final where, Resource adapter logs plain text JMS password at warning level on connection error, inserting sensitive information in the log file."}, {"lang": "es", "value": "Se detect\u00f3 un fallo en WildFly versiones anteriores a 21.0.0.Final donde, el adaptador de Recursos registra una contrase\u00f1a JMS de texto plano en el nivel de advertencia en caso de error de conexi\u00f3n, insertando informaci\u00f3n confidencial en el archivo de registro"}], "lastModified": "2023-11-07T03:20:18.267", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:redhat:wildfly:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "83915CB8-1E94-41BF-9BC6-BE35DA6BC7C0", "versionEndExcluding": "21.0.0"}], "operator": "OR"}]}], "sourceIdentifier": "secalert@redhat.com"}