Inclusion of Sensitive Information in Log Files in Baofeng Storm



Published: 2019-07-26 | Updated: 2020-08-08
Risk Medium
Patch available YES
Number of vulnerabilities 1
CVE-ID CVE-2019-0202
CWE-ID CWE-532
Exploitation vector Network
Public exploit N/A
Vulnerable software
Subscribe
Storm
Client/Desktop applications / Plugins for browsers, ActiveX components

Vendor Baofeng

Security Bulletin

This security bulletin contains one medium risk vulnerability.

1) Inclusion of Sensitive Information in Log Files

EUVDB-ID: #VU35663

Risk: Medium

CVSSv3.1: 6.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2019-0202

CWE-ID: CWE-532 - Information Exposure Through Log Files

Exploit availability: No

Description

The vulnerability allows a remote non-authenticated attacker to gain access to sensitive information.

The Apache Storm Logviewer daemon exposes HTTP-accessible endpoints to read/search log files on hosts running Storm. In Apache Storm versions 0.9.1-incubating to 1.2.2, it is possible to read files off the host's file system that were not intended to be accessible via these endpoints.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Storm: 0.9.1 - 0.9.2

External links

http://lists.apache.org/thread.html/220f1a77ff20749326a4c130446c5521db854da0afe81d1974b8109f@%3Cuser.storm.apache.org%3E


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.



###SIDEBAR###