Vulnerability Description
(1) impl_db2.py and (2) impl_mongodb.py in OpenStack Ceilometer 2013.2 and earlier, when the logging level is set to INFO, logs the connection string from ceilometer.conf, which allows local users to obtain sensitive information (the DB2 or MongoDB password) by reading the log file.
CVSS Score
LOW
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Openstack | Ceilometer | >= 2013.1, <= 2013.2 |
Related Weaknesses (CWE)
References
- http://www.openwall.com/lists/oss-security/2013/11/22/3Mailing ListThird Party Advisory
- http://www.openwall.com/lists/oss-security/2013/11/25/3Mailing ListThird Party Advisory
- https://bugs.launchpad.net/ceilometer/+bug/1244476ExploitIssue TrackingThird Party Advisory
- http://www.openwall.com/lists/oss-security/2013/11/22/3Mailing ListThird Party Advisory
- http://www.openwall.com/lists/oss-security/2013/11/25/3Mailing ListThird Party Advisory
- https://bugs.launchpad.net/ceilometer/+bug/1244476ExploitIssue TrackingThird Party Advisory
FAQ
What is CVE-2013-6384?
CVE-2013-6384 is a vulnerability with a CVSS score of 1.9 (LOW). (1) impl_db2.py and (2) impl_mongodb.py in OpenStack Ceilometer 2013.2 and earlier, when the logging level is set to INFO, logs the connection string from ceilometer.conf, which allows local users to ...
How severe is CVE-2013-6384?
CVE-2013-6384 has been rated LOW with a CVSS base score of 1.9/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2013-6384?
Check the references section above for vendor advisories and patch information. Affected products include: Openstack Ceilometer.