CVE-2014-3561

The rhevm-log-collector package in Red Hat Enterprise Virtualization 3.4 uses the PostgreSQL database password on the command line when calling sosreport, which allows local users to obtain sensitive information by listing the processes.

CVSS v2.0 2.1 LOW

2.1^/10

CVSS v2.0 : LOW

Vector : AV:L/AC:L/Au:N/C:P/I:N/A:N

Exploitability : 3.9 / Impact : 2.9

Access Vector LOCAL

Access Complexity LOW

Authentication NONE

Confidentiality Impact PARTIAL

Integrity Impact NONE

Availability Impact NONE

References

Link	Resource
http://rhn.redhat.com/errata/RHSA-2014-1947.html	Vendor Advisory
http://www.securitytracker.com/id/1031291
https://exchange.xforce.ibmcloud.com/vulnerabilities/99096
http://rhn.redhat.com/errata/RHSA-2014-1947.html	Vendor Advisory
http://www.securitytracker.com/id/1031291
https://exchange.xforce.ibmcloud.com/vulnerabilities/99096

Configurations

Configuration 1 (hide)

cpe:2.3:a:redhat:enterprise_virtualization:3.4:*:*:*:*:*:*:*

History

21 Nov 2024, 02:08

Type	Values Removed	Values Added
References	~~() http://rhn.redhat.com/errata/RHSA-2014-1947.html - Vendor Advisory~~	() http://rhn.redhat.com/errata/RHSA-2014-1947.html - Vendor Advisory
References	~~() http://www.securitytracker.com/id/1031291 -~~	() http://www.securitytracker.com/id/1031291 -
References	~~() https://exchange.xforce.ibmcloud.com/vulnerabilities/99096 -~~	() https://exchange.xforce.ibmcloud.com/vulnerabilities/99096 -

Information

Published : 2014-12-05 16:59

Updated : 2024-11-21 02:08

NVD link : CVE-2014-3561

Mitre link : CVE-2014-3561

CVE.ORG link : CVE-2014-3561

JSON object : View

Products Affected

redhat

enterprise_virtualization

CWE

CWE-200

Exposure of Sensitive Information to an Unauthorized Actor

{"id": "CVE-2014-3561", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 2.1, "accessVector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N", "authentication": "NONE", "integrityImpact": "NONE", "accessComplexity": "LOW", "availabilityImpact": "NONE", "confidentialityImpact": "PARTIAL"}, "acInsufInfo": false, "impactScore": 2.9, "baseSeverity": "LOW", "obtainAllPrivilege": false, "exploitabilityScore": 3.9, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}]}, "published": "2014-12-05T16:59:02.970", "references": [{"url": "http://rhn.redhat.com/errata/RHSA-2014-1947.html", "tags": ["Vendor Advisory"], "source": "secalert@redhat.com"}, {"url": "http://www.securitytracker.com/id/1031291", "source": "secalert@redhat.com"}, {"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/99096", "source": "secalert@redhat.com"}, {"url": "http://rhn.redhat.com/errata/RHSA-2014-1947.html", "tags": ["Vendor Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "http://www.securitytracker.com/id/1031291", "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/99096", "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-200"}]}], "descriptions": [{"lang": "en", "value": "The rhevm-log-collector package in Red Hat Enterprise Virtualization 3.4 uses the PostgreSQL database password on the command line when calling sosreport, which allows local users to obtain sensitive information by listing the processes."}, {"lang": "es", "value": "El paquete rhevm-log-collector en Red Hat Enterprise Virtualization 3.4 utiliza la contrase\u00f1a de la base de datos PostgreSQL en la l\u00ednea de comandos cuando llama a sosreport, lo que permite a usuarios locales obtener informaci\u00f3n sensible mediante el listado de los procesos."}], "lastModified": "2024-11-21T02:08:22.497", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:redhat:enterprise_virtualization:3.4:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "FDA49BAA-D188-4F05-9AE8-E5A736EE1267"}], "operator": "OR"}]}], "sourceIdentifier": "secalert@redhat.com"}