Oracle Application Server JDeveloper Cleartext Password Parameter
Local Access Required
Loss of Confidentiality
Oracle Application Server JDeveloper contains a flaw that may lead to an unauthorized password exposure. It is possible to gain access to plaintext passwords with a modified SQLPlus executable, which JDeveloper launches with the plaintext password as a parameter, and may lead to a loss of confidentiality.
Currently, there are no known workarounds or upgrades to correct this issue. However, Oracle has released a patch (Critical Patch Update - July 2005) to address this vulnerability.