CVE-2014-0085

CWE-255 CWE-200 — Information Exposure6 documents5 sources

Severity

2.1LOW

EPSS

0.1%

top 75.42%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Redhat Jboss A-mq Redhat Jboss Fuse

Timeline

PublishedApr 17

Latest updateMay 14

Description

JBoss Fuse did not enable encrypted passwords by default in its usage of Apache Zookeeper. This permitted sensitive information disclosure via logging to local users. Note: this description has been updated; previous text mistakenly identified the source of the flaw as Zookeeper. Previous text: Apache Zookeeper logs cleartext admin passwords, which allows local users to obtain sensitive information by reading the log.

CVSS vector

AV:L/AC:L/C:P/I:N/A:NExploitability: 3.9 | Impact: 2.9

Affected Packages3 packages

▶Mavenorg.jboss.fuse:jboss-fuse< 6.1.0

▶NVDredhat/jboss_fuse6.0.0

▶NVDredhat/jboss_a-mq6.0.0

🔴Vulnerability Details

GHSA

Exposure of Sensitive Information to an Unauthorized Actor in JBoss Fuse↗2022-05-14

▶

OSV

Exposure of Sensitive Information to an Unauthorized Actor in JBoss Fuse↗2022-05-14

▶

OSV

CVE-2014-0085: JBoss Fuse did not enable encrypted passwords by default in its usage of Apache Zookeeper↗2014-04-17

▶

CVEList

CVE-2014-0085: JBoss Fuse did not enable encrypted passwords by default in its usage of Apache Zookeeper↗2014-04-17

▶

💬Community

Bugzilla

CVE-2014-0085 Fuse: admin user cleartext password appears in logging↗2014-02-20

▶