Main Vulnerability Database Vulnerabilities #VU42327

Information disclosure in Ceilometer - CVE-2013-6384

Published: November 23, 2013 / Updated: August 10, 2020

Vulnerability identifier: #VU42327

CSH Severity: Low

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

CVE-ID: CVE-2013-6384

CWE-ID: CWE-200

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: Openstack

Affected software:
Ceilometer

Detailed vulnerability description

The vulnerability allows a remote non-authenticated attacker to gain access to sensitive information.

(1) impl_db2.py and (2) impl_mongodb.py in OpenStack Ceilometer 2013.2 and earlier, when the logging level is set to INFO, logs the connection string from ceilometer.conf, which allows local users to obtain sensitive information (the DB2 or MongoDB password) by reading the log file.

How to mitigate CVE-2013-6384

Install update from vendor's website.

Sources

http://www.openwall.com/lists/oss-security/2013/11/22/3
http://www.openwall.com/lists/oss-security/2013/11/25/3
https://bugs.launchpad.net/ceilometer/+bug/1244476

Information disclosure in Ceilometer - CVE-2013-6384

Detailed vulnerability description

How to mitigate CVE-2013-6384

Sources

Please verify you're human