Information Exposure Affecting org.apache.jackrabbit:oak-core Open this link in a new tab package, versions [,1.4.25) [1.6.0,1.6.20) [1.8.0,1.8.20) [1.10.0,1.10.8) [1.12.0, 1.22.1)

  • Attack Complexity


Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • snyk-id


  • published

    29 Jan 2020

  • disclosed

    28 Jan 2020

  • credit

    Andrew Khoury and Russ Wright

How to fix?

Upgrade org.apache.jackrabbit:oak-core to version 1.4.25, 1.6.20, 1.8.20, 1.10.8, 1.22.1 or higher.


org.apache.jackrabbit:oak-core is a complementary implementation of the JCR specification.

Affected versions of this package are vulnerable to Information Exposure. The optional initial password change and password expiration features are prone to a sensitive information disclosure vulnerability. The code mandates the changed password to be passed as an additional attribute to the credentials object but does not remove it upon processing during the first phase of the authentication. In combination with additional, independent authentication mechanisms, this may lead to the new password being disclosed.