Russ Wright

**Name of the Vulnerable Software and Affected Versions** Apache Jackrabbit Oak versions 1.2.0 through 1.22.0 **Description** The issue is related to the optional initial password change and password expiration features. These features are prone to a sensitive information disclosure issue. The code requires the changed password to be passed as an additional attribute to the `credentials` object but does not remove it upon processing during the first phase of the authentication. This may lead to the new password being disclosed when used in combination with additional, independent authentication mechanisms. **Recommendations** For Apache Jackrabbit Oak versions 1.2.0 through 1.22.0, consider disabling the initial password change and password expiration features as a temporary workaround until a patch is available. Restrict access to the authentication mechanisms to minimize the risk of exploitation. Avoid using the changed password as an attribute in the `credentials` object until the issue is resolved.