Inclusion of Sensitive Information in Log Files in Storm

#VU35663 Inclusion of Sensitive Information in Log Files in Storm

Published: 2019-07-26 | Updated: 2020-08-08

Vulnerability identifier: #VU35663

Vulnerability risk: Medium

CVSSv3.1: 6.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2019-0202

CWE-ID: CWE-532

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Storm
Client/Desktop applications / Plugins for browsers, ActiveX components

Vendor: Baofeng

Description

The vulnerability allows a remote non-authenticated attacker to gain access to sensitive information.

The Apache Storm Logviewer daemon exposes HTTP-accessible endpoints to read/search log files on hosts running Storm. In Apache Storm versions 0.9.1-incubating to 1.2.2, it is possible to read files off the host's file system that were not intended to be accessible via these endpoints.

Mitigation
Install update from vendor's website.

Vulnerable software versions

Storm: 0.9.1 - 0.9.2

External links
http://lists.apache.org/thread.html/220f1a77ff20749326a4c130446c5521db854da0afe81d1974b8109f@%3Cuser.storm.apache.org%3E

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Inclusion of Sensitive Information in Log Files in Baofeng Storm