CVE-2016-7043 – org.kie.server:kie-server-common

Package

Manager: maven
Name: org.kie.server:kie-server-common
Vulnerable Version: >=0 <7.21.0.final

Severity

Level: Critical

CVSS v3.1: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

EPSS: 0.00298 pctl0.52692

Details

Password in config file in KIE server It has been reported that KIE server and Busitess Central before version 7.21.0.Final contain username and password as plaintext Java properties. Any app deployed on the same server would have access to these properties, thus granting access to ther services.

Metadata

Created: 2022-05-24T16:45:43Z
Modified: 2023-02-14T00:57:31Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-pjw3-c74j-m9fj/GHSA-pjw3-c74j-m9fj.json
CWE IDs: ["CWE-260"]
Alternative ID: GHSA-pjw3-c74j-m9fj
Finding: F009
Auto approve: 1