Main Vulnerability Database Vulnerabilities #VU35663

#VU35663 Inclusion of Sensitive Information in Log Files in Storm - CVE-2019-0202

Published: July 26, 2019 / Updated: August 8, 2020

Vulnerability identifier: #VU35663

Vulnerability risk: Medium

CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green

CVE-ID: CVE-2019-0202

CWE-ID: CWE-532

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vulnerable software:
Storm

Software vendor:
Baofeng

Description

The vulnerability allows a remote non-authenticated attacker to gain access to sensitive information.

The Apache Storm Logviewer daemon exposes HTTP-accessible endpoints to read/search log files on hosts running Storm. In Apache Storm versions 0.9.1-incubating to 1.2.2, it is possible to read files off the host's file system that were not intended to be accessible via these endpoints.

Remediation

Install update from vendor's website.

External links

https://lists.apache.org/thread.html/220f1a77ff20749326a4c130446c5521db854da0afe81d1974b8109f@%3Cuser.storm.apache.org%3E

#VU35663 Inclusion of Sensitive Information in Log Files in Storm - CVE-2019-0202

Description

Remediation

External links

Please verify you're human