Main Vulnerability Database Vulnerabilities #VU42327

#VU42327 Information disclosure in Ceilometer - CVE-2013-6384

Published: November 23, 2013 / Updated: August 10, 2020

Vulnerability identifier: #VU42327

Vulnerability risk: Low

CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

CVE-ID: CVE-2013-6384

CWE-ID: CWE-200

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vulnerable software:
Ceilometer

Software vendor:
Openstack

Description

The vulnerability allows a remote non-authenticated attacker to gain access to sensitive information.

(1) impl_db2.py and (2) impl_mongodb.py in OpenStack Ceilometer 2013.2 and earlier, when the logging level is set to INFO, logs the connection string from ceilometer.conf, which allows local users to obtain sensitive information (the DB2 or MongoDB password) by reading the log file.

Remediation

Install update from vendor's website.

External links

http://www.openwall.com/lists/oss-security/2013/11/22/3
http://www.openwall.com/lists/oss-security/2013/11/25/3
https://bugs.launchpad.net/ceilometer/+bug/1244476

#VU42327 Information disclosure in Ceilometer - CVE-2013-6384

Description

Remediation

External links

Please verify you're human