First published: Tue Sep 03 2019(Updated: )
autocomplete=off is not present in the password field or at the form level in the login page source code: --------------- <form class="form-horizontal" role="form" action="j_security_check?locale=en_US" method="POST"> <div class="form-group"> <label for="j_username" class="col-sm-2 col-md-2 control-label">Username</label> <div class="col-sm-10 col-md-10"> <input type="text" class="form-control" value="" name="j_username" id="j_username" placeholder="" tabindex="1" autofocus /> </div> </div> <div class="form-group"> <label for="j_password" class="col-sm-2 col-md-2 control-label">Password</label> <div class="col-sm-10 col-md-10"> <input type="password" class="form-control" id="j_password" name="j_password" placeholder="" tabindex="2"> </div> </div> <div class="form-group"> <div class="col-xs-offset-8 col-xs-4 col-sm-offset-8 col-sm-4 col-md-offset-8 col-md-4 submit"> <button type="submit" class="btn btn-primary btn-lg" tabindex="3">Sign In</button> </div> </div> </form> -------------- Solution: Disable autocomplete for all sensitive fields like: <input type="password" autocomplete="off" name="pw"> If there are many fields, it may be faster to set the "autocomplete" attribute to "off" in the outer <form> tag. For example: <form action="/login.jsp" autocomplete="off" name="pw"> <input type="password" name="pw"> </form>
Credit: secalert@redhat.com
Affected Software | Affected Version | How to fix |
---|---|---|
Redhat Decision Manager | =7.0 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
CVE-2019-14840 is a vulnerability found in the RedHat Decision Manager (RHDM) software that enables auto-complete for sensitive HTML form fields.
CVE-2019-14840 has a severity rating of 7.5 (high).
CVE-2019-14840 affects RHDM 7.0, allowing auto-complete for sensitive form fields like Password, which may result in credential leakage.
Yes, the fix for CVE-2019-14840 is available from Red Hat. Please refer to the provided references for more information on how to apply the fix.
The Common Weakness Enumeration (CWE) ID for CVE-2019-14840 is CWE-522.