CVE-2013-6384Log File Information Exposure in Ceilometer

CWE-532Log File Information Exposure7 documents7 sources
Severity
1.9LOWNVD
EPSS
0.1%
top 82.23%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
Openstack Ceilometer
Timeline
PublishedNov 23
Latest updateMay 13

Description

(1) impl_db2.py and (2) impl_mongodb.py in OpenStack Ceilometer 2013.2 and earlier, when the logging level is set to INFO, logs the connection string from ceilometer.conf, which allows local users to obtain sensitive information (the DB2 or MongoDB password) by reading the log file.

CVSS vector

AV:L/AC:M/C:P/I:N/A:NExploitability: 3.4 | Impact: 2.9

Affected Packages2 packages

Debianopenstack/ceilometer< 2013.2-4+3
NVDopenstack/ceilometer2013.12013.2

🔴Vulnerability Details

3
GHSA
GHSA-jhf3-ph2m-2vjq: (1) impl_db22022-05-13
CVEList
CVE-2013-6384: (1) impl_db22013-11-23
OSV
CVE-2013-6384: (1) impl_db22013-11-23

📋Vendor Advisories

2
Red Hat
OpenStack: Ceilometer DB2/MongoDB backend password leak2013-11-22
Debian
CVE-2013-6384: ceilometer - (1) impl_db2.py and (2) impl_mongodb.py in OpenStack Ceilometer 2013.2 and earli...2013

💬Community

1
Bugzilla
CVE-2013-6384 OpenStack: Ceilometer DB2/MongoDB backend password leak2013-11-22
CVE-2013-6384 — Log File Information Exposure | cvebase