Miggo Logo

CVE-2013-4112: Exposure of Sensitive Information to an Unauthorized Actor in JGroup

5.4

CVSS Score

Basic Information

EPSS Score
0.6939%
Published
5/17/2022
Updated
1/27/2023
KEV Status
No
Technology
TechnologyJava

Technical Details

CVSS Vector
AV:A/AC:M/Au:N/C:P/I:P/A:P
Package NameEcosystemVulnerable VersionsFirst Patched Version
org.jgroups:jgroupsmaven>= 3.0.0, <= 3.2.8.Final3.2.9.Final
org.jgroups:jgroupsmaven>= 3.3.0, <= 3.3.2.Final3.3.3.Final

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability centers on JGroups' DiagnosticsHandler authentication mechanism. While exact patch diffs aren't provided, multiple authoritative sources:

  1. Explicitly name DiagnosticsHandler as the vulnerable component
  2. Describe credential reuse attacks
  3. Show fixes in JGroups versions 3.2.9/3.3.3

In JGroups architecture, the handle() method is the entry point for processing diagnostic requests, making it the logical location for authentication checks. The presence of credential caching/reuse suggests either the main request handler or a dedicated authentication method would retain stale credentials. The high confidence for handle() comes from direct advisory references, while authenticate() is inferred from the vulnerability pattern.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

T** *i**nosti*s**n*l*r in J*roup *.*.x, *.*.x, *.*.x ***or* *.*.*, *n* *.*.x ***or* *.*.* *llows r*mot* *tt**k*rs to o*t*in s*nsitiv* in*orm*tion (*i**nosti* in*orm*tion) *n* *x**ut* *r*itr*ry *o** *y r*usin* v*li* *r***nti*ls.

Reasoning

T** vuln*r**ility **nt*rs on J*roups' *i**nosti*s**n*l*r *ut**nti**tion m****nism. W*il* *x**t p*t** *i**s *r*n't provi***, multipl* *ut*orit*tiv* sour**s: *. *xpli*itly n*m* *i**nosti*s**n*l*r *s t** vuln*r**l* *ompon*nt *. **s*ri** *r***nti*l r*us*