Skip to content

User confusion in IronJacamar

Moderate severity GitHub Reviewed Published May 17, 2022 to the GitHub Advisory Database • Updated Dec 18, 2023

Package

maven org.jboss.ironjacamar:ironjacamar-jdbc (Maven)

Affected versions

< 1.0.12.Final

Patched versions

1.0.12.Final

Description

The IronJacamar container before 1.0.12.Final for JBoss Application Server, when allow-multiple-users is enabled in conjunction with a security domain, does not use the credentials supplied in a getConnection function call, which allows remote attackers to obtain access to an arbitrary datasource connection in opportunistic circumstances via an invalid connection attempt.

References

Published by the National Vulnerability Database Dec 20, 2012
Published to the GitHub Advisory Database May 17, 2022
Reviewed Dec 18, 2023
Last updated Dec 18, 2023

Severity

Moderate

EPSS score

0.778%
(82nd percentile)

Weaknesses

No CWEs

CVE ID

CVE-2012-3428

GHSA ID

GHSA-ppg2-ww3w-hq84

Source code

No known source code

Credits

Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.