PT-2013-6022 · Openstack+2 · Openstack Ceilometer+2

Eric Brown

Publicado

2013-11-23

Atualizado

2020-10-21

CVE-2013-6384

CVSS v2.0

1.9

Baixa

Vetor

AV:L/AC:M/Au:N/C:P/I:N/A:N

Name of the Vulnerable Software and Affected Versions OpenStack Ceilometer versions 2013.2 and earlier

Description The issue allows local users to obtain sensitive information, specifically the DB2 or MongoDB password, by reading the log file when the logging level is set to INFO. This occurs because the connection string from ceilometer.conf is logged by impl db2.py and impl mongodb.py.

Recommendations For OpenStack Ceilometer versions 2013.2 and earlier, consider changing the logging level from INFO to a less verbose setting to prevent sensitive information from being logged. As a temporary workaround, restrict access to the log files to minimize the risk of exploitation.

Exploit

Correção

Insertion into Log File

Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾

dbugs@ptsecurity.com

Enumeração de Fraquezas

CWE-532

Identificadores relacionados

CVE-2013-6384

Produtos afetados

Db2

Mongodb

Openstack Ceilometer

PT-2013-6022 · Openstack+2 · Openstack Ceilometer+2

CVE-2013-6384

Enumeração de Fraquezas

Identificadores relacionados

Produtos afetados

Referências · 7