CVE-2014-0085: Exposure of Sensitive Information to an Unauthorized Actor in JBoss Fuse

May 14, 2022 (updated July 7, 2022)

JBoss Fuse does not enable encrypted passwords by default in its usage of Apache Zookeeper. This permitted sensitive information disclosure via logging to local users. Note: this description has been updated; previous text mistakenly identified the source of the flaw as Zookeeper. Previous text: Apache Zookeeper logs cleartext admin passwords, which allows local users to obtain sensitive information by reading the log.

References

bugzilla.redhat.com/show_bug.cgi?id=CVE-2014-0085
github.com/advisories/GHSA-h259-3rjg-5qp3
nvd.nist.gov/vuln/detail/CVE-2014-0085

Code Behaviors & Features

Detect and mitigate CVE-2014-0085 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →