First published: Wed Oct 05 2011(Updated: )
The default configuration of the jserv-status handler in jserv.conf in Apache JServ 1.1.2 includes an "allow from 127.0.0.1" line, which allows local users to discover JDBC passwords or other sensitive information via a direct request to the jserv/ URI.
Credit: cve@mitre.org
Affected Software | Affected Version | How to fix |
---|---|---|
Apache JServ | =1.1.2 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.