Jedox 2022.4.2 - Disclosure of Database Credentials via Connection Checks

vendor:

Jedox

by:

Team Syslifters / Christoph MAHRL, Aron MOLNAR, Patrick PIRKER and Michael WEDL

7.4

CVSS

HIGH

Information Disclosure

200

CWE

Product Name: Jedox

Affected Version From: Jedox 2022.4 (22.4.2) and older

Affected Version To: Jedox 2022.4 (22.4.2)

Patch Exists: YES

Related CWE: CVE-2022-47880

CPE: a:jedox:jedox

Metasploit:

Other Scripts:

Platforms Tested:

2023

Jedox 2022.4.2 – Disclosure of Database Credentials via Connection Checks

An information disclosure vulnerability in /be/rpc.php allows remote authenticated users with the appropriate permissions to modify database connections to disclose the clear text credentials via the test connection function. To exploit the vulnerability, the attacker must set the host of the database connection to a server under his control.

Mitigation:

Ensure that the host of the database connection is set to a trusted server and that the test connection function is not accessible to unauthorized users.

Source

Exploit-DB raw data:

# Exploit Title: Jedox 2022.4.2 - Disclosure of Database Credentials via Connection Checks
# Date: 28/04/2023
# Exploit Author: Team Syslifters / Christoph MAHRL, Aron MOLNAR, Patrick PIRKER and Michael WEDL
# Vendor Homepage: https://jedox.com
# Version: Jedox 2022.4 (22.4.2) and older
# CVE : CVE-2022-47880


Introduction
=================
An information disclosure vulnerability in `/be/rpc.php` allows remote authenticated users with the appropriate permissions to modify database connections to disclose the clear text credentials via the `test connection` function. To exploit the vulnerability, the attacker must set the host of the database connection to a server under his control.


Write-Up
=================
See [Docs Syslifters](https://docs.syslifters.com/) for a detailed write-up on how to exploit vulnerability.


Proof of Concept
=================
1) The host part of a database connection can be changed in the connections details in the UI. Set the Host to a server that you control.

2) Test the database connection.

3) The webserver initiates a connection to the server that you control. Use wireshark to capture network traffic and to ultimately extract the database credentials.