Vulnerability Details : CVE-2012-3431
The Teiid Java Database Connectivity (JDBC) socket, as used in JBoss Enterprise Data Services Platform before 5.3.0, does not encrypt login messages by default contrary to documentation and specification, which allows remote attackers to obtain login credentials via a man-in-the-middle (MITM) attack.
Products affected by CVE-2012-3431
- cpe:2.3:a:redhat:jboss_enterprise_data_services_platform:*:*:*:*:*:*:*:*
- cpe:2.3:a:redhat:jboss_enterprise_data_services_platform:5.1.0:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2012-3431
0.14%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 48 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2012-3431
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
4.3
|
MEDIUM | AV:N/AC:M/Au:N/C:P/I:N/A:N |
8.6
|
2.9
|
NIST |
CWE ids for CVE-2012-3431
-
Assigned by: nvd@nist.gov (Primary)
References for CVE-2012-3431
-
https://exchange.xforce.ibmcloud.com/vulnerabilities/78803
Teiid JDBC socket information disclosure CVE-2012-3431 Vulnerability Report
-
http://www.securityfocus.com/bid/55634
Teiid JDBC Man in the Middle Information Disclosure Vulnerability
-
http://rhn.redhat.com/errata/RHSA-2012-1301.html
Red Hat Customer PortalVendor Advisory
-
https://bugzilla.redhat.com/show_bug.cgi?id=843669
843669 – (CVE-2012-3431) CVE-2012-3431 Teiid: JDBC socket does not encrypt client login messages by default
Jump to