Home Tools Exploits & CVE's Debezium UI 2.5 Credential Disclosure

Debezium UI 2.5 Credential Disclosure

May 30, 2024

Authored by Ihsan Cetin, Hamza Kaya Toprak

Debezium UI version 2.5 suffers from a credential disclosure vulnerability.

advisories | CVE-2024-28736

# Exploit Title: Debezium UI - Credential Leakage

# Google Dork: N/A

# Date: [2024-03-11]

# Exploit Author: Ihsan Cetin, Hamza Kaya Toprak

# Vendor Homepage: https://debezium.io/

# Software Link: N/A

# Version: < 2.5 (REQUIRED)

# Tested on: [N/A]

# CVE : CVE-2024-28736

Proof of concept:

# Details

#Debezium-ui (version 2.5) is vulnerable to a password exposure issue that could allow an attacker to retrieve sensitive credentials in plaintext format.

# PoC :

#Unmasked Password in Connector Configuration: When navigating to the connectors section within the application's connector screen, the password field, which should ideally be masked for security purposes, is briefly displayed in plaintext format during the initial seconds.

# Plaintext Password Retrieval via API Endpoint: By accessing the URL

http://10.0.15.51:8080//api/connectors/1/account-activity/config

#and searching for the database.password parameter, an attacker can retrieve the database password in plaintext format without any authentication.

Debezium UI 2.5 Credential Disclosure

Follow us on Instagram @thecyberpost

EDITOR PICKS

With review nearly finished, UnitedHealth says ‘no evidence’ doctors’ charts stolen...

Almost 200 cancer operations postponed as ransomware group publishes London hospitals...

Polish investigators seize Pegasus spyware systems as part of probe into...

POPULAR POSTS

Oracle Database Password Hash Unauthorized Access

ESET NOD32 Antivirus 17.1.11.0 Unquoted Service Path

Restaurant Reservation System Patches Easy-to-Exploit XSS Bug

POPULAR CATEGORY

WordPress BackUpWordPress 3.8 Backup Disclosure

WordPress Alemha Watermarker 1.3.1 Cross Site Scripting

ChiKoi New-MVC-SHOP 1.0 Cross Site Scripting