CVE-2024-3165

System->Maintenance-> Log Files in dotCMS dashboard is providing the username/password for database connections in the log output. Nevertheless, this is a moderate issue as it requires a backend admin as well as that dbs are locked down by environment. OWASP Top 10 - A05) Insecure Design OWASP Top 10 - A05) Security Misconfiguration OWASP Top 10 - A09) Security Logging and Monitoring Failure

CVSS v3 4.5 MEDIUM

4.5^/10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 0.9 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required HIGH

User Interaction REQUIRED

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://auth.dotcms.com/security/SI-70?token=563ec927-3190-4478-bd77-0d6f8c6fc676
https://github.com/dotCMS/core/issues/27910
https://github.com/dotCMS/core/pull/28006

Configurations

No configuration.

History

02 Apr 2024, 12:50

Type	Values Removed	Values Added
Summary		(es) System->Maintenance-> Log Files en el panel de dotCMS proporciona el nombre de usuario/contraseña para las conexiones de la base de datos en la salida del registro. Sin embargo, este es un problema moderado, ya que requiere un administrador de backend y que las bases de datos estén bloqueadas por el entorno. OWASP Top 10 - A05) Diseño inseguro OWASP Top 10 - A05) Configuración incorrecta de seguridad OWASP Top 10 - A09) Fallo de registro y monitoreo de seguridad

01 Apr 2024, 22:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2024-04-01 22:15

Updated : 2024-04-02 12:50

NVD link : CVE-2024-3165

Mitre link : CVE-2024-3165

CVE.ORG link : CVE-2024-3165

JSON object : View

Products Affected

No product.

CWE

CWE-522

Insufficiently Protected Credentials

4.5 /10