2.1

CVSS Score

-

CVSS Score

Basic Information

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2014-0085

CVE-2014-0085: Exposure of Sensitive Information to an Unauthorized Actor in JBoss Fuse

JBoss Fuse did not enable encrypted passwords by default in its usage of Apache Zookeeper. This permitted sensitive information disclosure via logging to local users. Note: this description has been updated; previous text mistakenly identified the source of the flaw as Zookeeper. Previous text: Apache Zookeeper logs cleartext admin passwords, which allows local users to obtain sensitive information by reading the log.

(GitHub Advisory)

Miggo Vulnerability Database

→

CVE-2014-0085

CVE-2014-0085:

2.1

CVSS Score

-

CVSS Score

Basic Information

Technical Details

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
org.jboss.fuse:jboss-fuse	maven	< 6.1.0	6.1.0

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability occurs because JBoss Fuse's Zookeeper integration didn't enable password encryption by default. The primary point of exposure would be in the code responsible for passing authentication credentials to Zookeeper. The ZKClient.addAuthInfo method is a logical location where cleartext passwords would be handled before being sent to Zookeeper, which would then log them insecurely. While direct patch evidence isn't available, the vulnerability description and Red Hat's resolution note about encrypting passwords in Fuse Fabric strongly suggest this authentication handling function as the vulnerable component.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

2.1

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2014-0085: Exposure of Sensitive Information to an Unauthorized Actor in JBoss Fuse

CVE-2014-0085:

2.1

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

CVE-2014-0085: Exposure of Sensitive Information to an Unauthorized Actor in JBoss Fuse

Technical Details

2.1

2.1

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Basic Information

Basic Information

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI