CVE-2023-4066 — Cleartext Storage in a File or on Disk in Redhat Jboss A-mq

CWE-313 — Cleartext Storage in a File or on Disk CWE-312 — Cleartext Storage of Sensitive Info4 documents4 sources

Severity

5.5MEDIUMNVD

EPSS

0.0%

top 87.56%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Redhat Jboss A-mq Redhat Jboss Middleware Redhat Openshift Container Platform

Timeline

PublishedSep 27

Description

A flaw was found in Red Hat's AMQ Broker, which stores certain passwords in a secret security-properties-prop-module, defined in ActivemqArtemisSecurity CR; however, they are shown in plaintext in the StatefulSet details yaml of AMQ Broker.

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:NExploitability: 1.8 | Impact: 3.6

Affected Packages2 packages

▶NVDredhat/jboss_a-mq7

▶NVDredhat/jboss_middleware1

Also affects: Openshift Container Platform 4.11, 4.12

🔴Vulnerability Details

CVEList

Operator: passwords defined in secrets shown in statefulset yaml↗2023-09-27

▶

GHSA

GHSA-pp2q-hf69-vw5g: A flaw was found in Red Hat's AMQ Broker, which stores certain passwords in a secret security-properties-prop-module, defined in ActivemqArtemisSecuri↗2023-09-27

▶

📋Vendor Advisories

Red Hat

Operator: Passwords defined in secrets shown in StatefulSet yaml↗2023-08-23

▶