CVE-2014-0085 : JBoss Fuse did not enable encrypted passwords by default in its usage of Apache

JBoss Fuse did not enable encrypted passwords by default in its usage of Apache Zookeeper. This permitted sensitive information disclosure via logging to local users. Note: this description has been updated; previous text mistakenly identified the source of the flaw as Zookeeper. Previous text: Apache Zookeeper logs cleartext admin passwords, which allows local users to obtain sensitive information by reading the log.

Published 2014-04-17 14:55:06

Updated 2018-10-23 13:57:03

Source Red Hat, Inc.

View at NVD, CVE.org

Products affected by CVE-2014-0085

Redhat » Jboss Fuse » Version: 6.0.0
cpe:2.3:a:redhat:jboss_fuse:6.0.0:*:*:*:*:*:*:*
Matching versions
Redhat » Jboss A-mq » Version: 6.0.0
cpe:2.3:a:redhat:jboss_a-mq:6.0.0:*:*:*:*:*:*:*
Matching versions

Exploit prediction scoring system (EPSS) score for CVE-2014-0085

EPSS FAQ

0.12%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 29 %

Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2014-0085

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source	First Seen
2.1	LOW	AV:L/AC:L/Au:N/C:P/I:N/A:N	3.9	2.9	NIST
Access Vector: Local Access Complexity: Low Authentication: None Confidentiality Impact: Partial Integrity Impact: None Availability Impact: None

CWE ids for CVE-2014-0085

CWE-255

Assigned by: nvd@nist.gov (Primary)

References for CVE-2014-0085

https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2014-0085

1067265 – (CVE-2014-0085) CVE-2014-0085 Fuse: admin user cleartext password appears in logging
Issue Tracking;Third Party Advisory

Jump to

Vulnerability Details : CVE-2014-0085

Products affected by CVE-2014-0085

Exploit prediction scoring system (EPSS) score for CVE-2014-0085

CVSS scores for CVE-2014-0085

CWE ids for CVE-2014-0085

References for CVE-2014-0085