Oracle JDeveloper 9.0.4, 9.0.5, and 10.1.2 stores cleartext passwords in (1) IDEConnections.xml, (2) XSQLConfig.xml and (3) settings.xml, which allows local users to obtain sensitive information.
Affected Software
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Jdeveloper | Oracle | 9.0.4 (including) | 9.0.4 (including) |
| Jdeveloper | Oracle | 9.0.5 (including) | 9.0.5 (including) |
| Jdeveloper | Oracle | 10.1.2 (including) | 10.1.2 (including) |
References
- http://marc.info/?l=bugtraq\u0026m=112129177927502\u0026w=2
- http://secunia.com/advisories/15991/
- http://www.oracle.com/technology/deploy/security/pdf/cpujul2005.html
- http://www.red-database-security.com/advisory/oracle_jdeveloper_plaintext_password.html
- https://exchange.xforce.ibmcloud.com/vulnerabilities/21342
- http://marc.info/?l=bugtraq\u0026m=112129177927502\u0026w=2
- http://secunia.com/advisories/15991/
- http://www.oracle.com/technology/deploy/security/pdf/cpujul2005.html
- http://www.red-database-security.com/advisory/oracle_jdeveloper_plaintext_password.html
- https://exchange.xforce.ibmcloud.com/vulnerabilities/21342