Information disclosure in Openstack Ceilometer



Published: 2013-11-23 | Updated: 2020-08-10
Risk Low
Patch available YES
Number of vulnerabilities 1
CVE-ID CVE-2013-6384
CWE-ID CWE-200
Exploitation vector Network
Public exploit N/A
Vulnerable software
Subscribe
Ceilometer
Operating systems & Components / Operating system package or component

Vendor Openstack

Security Bulletin

This security bulletin contains one low risk vulnerability.

1) Information disclosure

EUVDB-ID: #VU42327

Risk: Low

CVSSv3.1:

CVE-ID: CVE-2013-6384

CWE-ID: CWE-200 - Information Exposure

Exploit availability: No

Description

The vulnerability allows a remote non-authenticated attacker to gain access to sensitive information.

(1) impl_db2.py and (2) impl_mongodb.py in OpenStack Ceilometer 2013.2 and earlier, when the logging level is set to INFO, logs the connection string from ceilometer.conf, which allows local users to obtain sensitive information (the DB2 or MongoDB password) by reading the log file.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Ceilometer: 2013.1


CPE2.3 External links

http://www.openwall.com/lists/oss-security/2013/11/22/3
http://www.openwall.com/lists/oss-security/2013/11/25/3
http://bugs.launchpad.net/ceilometer/+bug/1244476

Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?



###SIDEBAR###