CVE-2013-4112 — Exposure of Sensitive Information to an Unauthorized Actor in JGroup

Description

The DiagnosticsHandler in JGroup 3.0.x, 3.1.x, 3.2.x before 3.2.9, and 3.3.x before 3.3.3 allows remote attackers to obtain sensitive information (diagnostic information) and execute arbitrary code by reusing valid credentials.

How to fix CVE-2013-4112

To remediate CVE-2013-4112, upgrade the affected package to a fixed version below.

Debian/libjgroups-java—upgrade to 2.12.2.Final-4 or later
Maven/org.jgroups:jgroups—upgrade to 3.2.9.Final or later

Is CVE-2013-4112 being exploited?

Low — EPSS is 1.3%, meaning exploitation activity has not been observed at scale.

Affected packages (2)

from 0, < 2.12.2.Final-4
>= 3.0.0, < 3.2.9.Final

References (9)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2013-4112
ADVISORYsecurity-tracker.debian.org/tracker/CVE-2013-4112
WEBrhn.redhat.com/errata/RHSA-2013-1207.html
WEBrhn.redhat.com/errata/RHSA-2013-1208.html
WEB