2.1

CVSS Score

Basic Information

CVE ID

CVE-2014-0085

GHSA ID

GHSA-h259-3rjg-5qp3

EPSS Score

0.2941%

CWE

CWE-200

Published

5/14/2022

Updated

1/27/2023

KEV Status

Technology

Java

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2014-0085

CVE-2014-0085: Exposure of Sensitive Information to an Unauthorized Actor in JBoss Fuse

JBoss Fuse did not enable encrypted passwords by default in its usage of Apache Zookeeper. This permitted sensitive information disclosure via logging to local users. Note: this description has been updated; previous text mistakenly identified the source of the flaw as Zookeeper. Previous text: Apache Zookeeper logs cleartext admin passwords, which allows local users to obtain sensitive information by reading the log.

(GitHub Advisory)

2.1

CVSS Score

Basic Information

CVE ID

CVE-2014-0085

GHSA ID

GHSA-h259-3rjg-5qp3

EPSS Score

0.2941%

CWE

CWE-200

Published

5/14/2022

Updated

1/27/2023

KEV Status

Technology

Java

Technical Details

CVSS Vector

AV:L/AC:L/Au:N/C:P/I:N/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
org.jboss.fuse:jboss-fuse	maven	< 6.1.0	6.1.0

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability occurs because JBoss Fuse's Zookeeper integration didn't enable password encryption by default. The primary point of exposure would be in the code responsible for passing authentication credentials to Zookeeper. The ZKClient.addAuthInfo method is a logical location where cleartext passwords would be handled before being sent to Zookeeper, which would then log them insecurely. While direct patch evidence isn't available, the vulnerability description and Red Hat's resolution note about encrypting passwords in Fuse Fabric strongly suggest this authentication handling function as the vulnerable component.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

J*oss *us* *i* not *n**l* *n*rypt** p*sswor*s *y ****ult in its us*** o* *p**** Zook**p*r. T*is p*rmitt** s*nsitiv* in*orm*tion *is*losur* vi* lo**in* to lo**l us*rs. Not*: t*is **s*ription **s ***n up**t**; pr*vious t*xt mist*k*nly i**nti*i** t** so

Reasoning

T** vuln*r**ility o**urs ****us* J*oss *us*'s Zook**p*r int**r*tion *i*n't *n**l* p*sswor* *n*ryption *y ****ult. T** prim*ry point o* *xposur* woul* ** in t** *o** r*sponsi*l* *or p*ssin* *ut**nti**tion *r***nti*ls to Zook**p*r. T** `ZK*li*nt.****ut

2.1

Basic Information

Concerned about an active attack path?

CVE-2014-0085: Exposure of Sensitive Information to an Unauthorized Actor in JBoss Fuse

2.1

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI