Lucene search

GoogleOSV:GHSA-3H68-WVV6-8R5H

HistoryDec 10, 2021 - 5:20 p.m.

Improper Removal of Sensitive Information Before Storage or Transfer in Apache Jackrabbit Oak

2021-12-1017:20:11

Google

osv.dev

0.006 Low

EPSS

Percentile

79.3%

JSON

The optional initial password change and password expiration features present in Apache Jackrabbit Oak 1.2.0 to 1.22.0 are prone to a sensitive information disclosure vulnerability. The code mandates the changed password to be passed as an additional attribute to the credentials object but does not remove it upon processing during the first phase of the authentication. In combination with additional, independent authentication mechanisms, this may lead to the new password being disclosed.

CPENameOperatorVersion
org.apache.jackrabbit:oak-coreeq1.20.0
org.apache.jackrabbit:oak-coreeq1.22.12
org.apache.jackrabbit:oak-coreeq1.22.9
org.apache.jackrabbit:oak-coreeq1.22.11
org.apache.jackrabbit:oak-coreeq1.14.0
org.apache.jackrabbit:oak-coreeq1.10.2
org.apache.jackrabbit:oak-coreeq1.22.5
org.apache.jackrabbit:oak-coreeq1.18.0
org.apache.jackrabbit:oak-coreeq1.10.0
org.apache.jackrabbit:oak-coreeq1.12.0

Name	Operator	Version
org.apache.jackrabbit:oak-core	eq	1.20.0
org.apache.jackrabbit:oak-core	eq	1.22.12
org.apache.jackrabbit:oak-core	eq	1.22.9
org.apache.jackrabbit:oak-core	eq	1.22.11
org.apache.jackrabbit:oak-core	eq	1.14.0
org.apache.jackrabbit:oak-core	eq	1.10.2
org.apache.jackrabbit:oak-core	eq	1.22.5
org.apache.jackrabbit:oak-core	eq	1.18.0
org.apache.jackrabbit:oak-core	eq	1.10.0
org.apache.jackrabbit:oak-core	eq	1.12.0

Rows per page:

1-10 of 281

References

www.openwall.com/lists/oss-security/2020/01/28/1

lists.apache.org/thread.html/r3da8e2fd253ecd4d3a0de71ce255631148b54be8500225b5812f7737@%3Coak-commits.jackrabbit.apache.org%3E

lists.apache.org/thread.html/r45b0e2fb6ac51c5a03952b08b5e0efde1249ecb809884cc87eb0bd99@%3Ccommits.jackrabbit.apache.org%3E

lists.apache.org/thread.html/r601637e38ee743e845856a4e24915cb8db26ae80ca782bef91989cbc@%3Coak-commits.jackrabbit.apache.org%3E

lists.apache.org/thread.html/ra295f919586b19def7cc7713d9d78595507d5f703362fccb779eeeb9@%3Coak-commits.jackrabbit.apache.org%3E

lists.apache.org/thread.html/ra6b3e78f5ed545c1d859d664f66c6d3fc5d731d9b1d842349654e4f0@%3Ccommits.jackrabbit.apache.org%3E

lists.apache.org/thread.html/rb3023cfd45441b570c1abaa347d0cac78df97b5d3f27d674d01b3d2a@%3Ccommits.jackrabbit.apache.org%3E

lists.apache.org/thread.html/rba884dbe733781cbaaffa28b77bc37a6a9f948b3a72a1bdad5e1587c@%3Ccommits.jackrabbit.apache.org%3E

lists.apache.org/thread.html/rbef4701b5ce4d827182e70ad7b4d987a9157682ba3643e05a9ef5a7b@%3Ccommits.jackrabbit.apache.org%3E

lists.apache.org/thread.html/rc35a57ecdeae342d46f729d6bc9750ba860c101f450cc171798dba28@%3Coak-commits.jackrabbit.apache.org%3E

lists.apache.org/thread.html/rccc0ed467faa35734ea16b8f5de5603e708936c41a4eddd90fddeaf0%40%3Cusers.jackrabbit.apache.org%3E

lists.apache.org/thread.html/rccc0ed467faa35734ea16b8f5de5603e708936c41a4eddd90fddeaf0@%3Cannounce.jackrabbit.apache.org%3E

nvd.nist.gov/vuln/detail/CVE-2020-1940

0.006 Low

EPSS

Percentile

79.3%

JSON

Related for OSV:GHSA-3H68-WVV6-8R5H