Information disclosure in Openstack Ceilometer

Published: 2013-11-23 | Updated: 2020-08-10
Risk Low
Patch available YES
Number of vulnerabilities 1
CVE-ID CVE-2013-6384
Exploitation vector Network
Public exploit N/A
Vulnerable software
Operating systems & Components / Operating system package or component

Vendor Openstack

Security Bulletin

This security bulletin contains one low risk vulnerability.

1) Information disclosure

EUVDB-ID: #VU42327

Risk: Low


CVE-ID: CVE-2013-6384

CWE-ID: CWE-200 - Information Exposure

Exploit availability: No


The vulnerability allows a remote non-authenticated attacker to gain access to sensitive information.

(1) and (2) in OpenStack Ceilometer 2013.2 and earlier, when the logging level is set to INFO, logs the connection string from ceilometer.conf, which allows local users to obtain sensitive information (the DB2 or MongoDB password) by reading the log file.


Install update from vendor's website.

Vulnerable software versions

Ceilometer: 2013.1

CPE2.3 External links

Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?