Information disclosure in OpenStack Ceilometer



Published: 2019-04-01
Risk Low
Patch available YES
Number of vulnerabilities 1
CVE-ID CVE-2019-3830
CWE-ID CWE-200
Exploitation vector Local
Public exploit N/A
Vulnerable software
Subscribe
Ceilometer
Operating systems & Components / Operating system package or component

Vendor Openstack

Security Bulletin

This security bulletin contains one low risk vulnerability.

1) Information disclosure

EUVDB-ID: #VU18105

Risk: Low

CVSSv3.1:

CVE-ID: CVE-2019-3830

CWE-ID: CWE-200 - Information Exposure

Exploit availability: No

Description

The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to the ceilometer-agent prints by default sensitive information into log files, even when the DEBUG logging is not activated. A local user can view the log files and obtain sensitive information, such as administrative credentials.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Ceilometer: 10.0.0 - 11.0.1


CPE2.3 External links

http://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-3830

Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?



###SIDEBAR###