An information disclosure in ovirt-hosted-engine-setup prior to 2.2.7 reveals the root user's password in the log file.