PT-2018-9247 · Sensu · Sensu Core+1

Amdprophet

Published

2018-02-09

Updated

2019-10-03

CVE-2018-1000060

CVSS v3.1

9.8

Critical

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions: Sensu Core versions prior to 1.2.0 Sensu Core version before commit 46ff10023e8cbf1b6978838f47c51b20b98fe30b sensu rubygem versions prior to 1.2.0

Description: The issue is related to a flaw in Sensu::Utilities.redact sensitive() that can result in sensitive configuration data, such as passwords, being logged in clear-text. This can be exploited when victims have configuration matching a specific pattern, causing sensitive data to be outputted in their service log files.

Recommendations: For Sensu Core versions prior to 1.2.0, upgrade to version 1.2.1 or later. For Sensu Core version before commit 46ff10023e8cbf1b6978838f47c51b20b98fe30b, apply the changes after commit 46ff10023e8cbf1b6978838f47c51b20b98fe30b to fix the issue. For sensu rubygem versions prior to 1.2.0, upgrade to rubygem version 1.2.1 or later.

Fix

Insertion into Log File

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-532

Related Identifiers

CVE-2018-1000060

GHSA-69MV-3642-WJ3W

RHSA-2018:0616

RHSA-2018:1112

RHSA-2018:1606

Affected Products

Sensu Core

Sensu Rubygem

PT-2018-9247 · Sensu · Sensu Core+1

CVE-2018-1000060

Weakness Enumeration

Related Identifiers

Affected Products

References · 10