Jberet: jberet-core logging database credentials
Description
A vulnerability was found in jberet-core logging. An exception in 'dbProperties' might display user credentials such as the username and password for the database-connection.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
CVE-2024-1102: An exception in jberet-core's dbProperties logging exposes database credentials (username and password) to attackers with log access.
Vulnerability
Details
CVE-2024-1102 is an information disclosure vulnerability in jberet-core, the core runtime engine of the JBeret batch processing implementation. When an exception occurs during the processing of database connection properties (dbProperties), the error message may inadvertently include the database username and password, exposing sensitive credentials to anyone with access to the logs [3]. The root cause is improper sanitization of exception messages that include connection parameters.
Attack
Vector
Exploitation does not require authentication to the database itself. An attacker who can trigger a database-related exception (e.g., by providing malformed connection parameters or causing a network timeout) and who has read access to the application logs can obtain the credentials. In typical deployments, logs are stored on disk or shipped to centralized logging systems, which may be accessible to lower-privileged users or external attackers if log files are not properly secured.
Impact
A successful attack grants the attacker the database username and password, enabling unauthorized access to the underlying database. This can lead to data theft, data modification, or further lateral movement within the infrastructure, depending on the database's permissions and network exposure.
Mitigation
Red Hat has released security updates for JBoss Enterprise Application Platform (EAP) as part of RHSA-2024:3580 (for RHEL 8) and RHSA-2024:3581 (for RHEL 9) [1][2]. These updates include a patched version of jberet-core that filters sensitive information from exception messages. Users are strongly advised to apply the patches promptly. There is no indication that a workaround is available; protecting log files with strict access controls can reduce risk but does not fix the underlying vulnerability.
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.jberet:jberet-coreMaven | < 2.2.1.Final | 2.2.1.Final |
Affected products
1Patches
1eeef999663d7JBERET-452: Mask db-creds from exception message
1 file changed · +1 −1
jberet-core/src/main/java/org/jberet/repository/JdbcRepository.java+1 −1 modified@@ -1112,7 +1112,7 @@ private Connection getConnection() { try { return DriverManager.getConnection(dbUrl, dbProperties); } catch (final Exception e) { - throw BatchMessages.MESSAGES.failToObtainConnection(e, dbUrl, dbProperties); + throw BatchMessages.MESSAGES.failToObtainConnection(e, dbUrl, "<db props> masked"); } } }
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
10- access.redhat.com/errata/RHSA-2024:1677ghsavendor-advisoryx_refsource_REDHATWEB
- access.redhat.com/errata/RHSA-2024:3580ghsavendor-advisoryx_refsource_REDHATWEB
- access.redhat.com/errata/RHSA-2024:3581ghsavendor-advisoryx_refsource_REDHATWEB
- access.redhat.com/errata/RHSA-2024:3583ghsavendor-advisoryx_refsource_REDHATWEB
- github.com/advisories/GHSA-9wmf-xf3h-r8prghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2024-1102ghsaADVISORY
- access.redhat.com/security/cve/CVE-2024-1102ghsavdb-entryx_refsource_REDHATWEB
- bugzilla.redhat.com/show_bug.cgighsaissue-trackingx_refsource_REDHATWEB
- github.com/jberet/jsr352/commit/eeef999663d7da0e372aeeeac26ecf7201a3121dghsaWEB
- github.com/jberet/jsr352/issues/452ghsaWEB
News mentions
0No linked articles in our index yet.