CVE-2024-3165

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2024-3165
System->Maintenance-> Log Files in dotCMS dashboard is providing the username/password for database connections in the log output. Nevertheless, this is a moderate issue as it requires a backend admin as well as that dbs are locked down by environment.   OWASP Top 10 - A05) Insecure Design OWASP Top 10 - A05) Security Misconfiguration OWASP Top 10 - A09) Security Logging and Monitoring Failure

4.5 /10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 0.9 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required HIGH

User Interaction REQUIRED

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References
Link Resource
https://github.com/dotCMS/core/issues/27910
https://github.com/dotCMS/core/pull/28006
https://www.dotcms.com/security/SI-70
Configurations

No configuration.

History

26 Jul 2024, 14:15

Type Values Removed Values Added
References
  • {'url': 'https://auth.dotcms.com/security/SI-70', 'source': 'security@dotcms.com'}
  • () https://www.dotcms.com/security/SI-70 -

25 Jul 2024, 21:15

Type Values Removed Values Added
Summary (en) System->Maintenance-> Log Files in dotCMS dashboard is providing the username/password for database connections in the log output. Nevertheless, this is a moderate issue as it requires a backend admin as well as that dbs are locked down by environment.   OWASP Top 10 - A05) Insecure Design OWASP Top 10 - A05) Security Misconfiguration OWASP Top 10 - A09) Security Logging and Monitoring Failure (en) System->Maintenance-> Log Files in dotCMS dashboard is providing the username/password for database connections in the log output. Nevertheless, this is a moderate issue as it requires a backend admin as well as that dbs are locked down by environment.   OWASP Top 10 - A05) Insecure Design OWASP Top 10 - A05) Security Misconfiguration OWASP Top 10 - A09) Security Logging and Monitoring Failure
References
  • {'url': 'https://auth.dotcms.com/security/SI-70?token=563ec927-3190-4478-bd77-0d6f8c6fc676', 'source': 'security@dotcms.com'}
  • () https://auth.dotcms.com/security/SI-70 -

02 Apr 2024, 12:50

Type Values Removed Values Added
Summary
  • (es) System->Maintenance-> Log Files en el panel de dotCMS proporciona el nombre de usuario/contraseña para las conexiones de la base de datos en la salida del registro. Sin embargo, este es un problema moderado, ya que requiere un administrador de backend y que las bases de datos estén bloqueadas por el entorno. OWASP Top 10 - A05) Diseño inseguro OWASP Top 10 - A05) Configuración incorrecta de seguridad OWASP Top 10 - A09) Fallo de registro y monitoreo de seguridad

01 Apr 2024, 22:15

Type Values Removed Values Added
New CVE
Information

Published : 2024-04-01 22:15

Updated : 2024-07-26 14:15

NVD link : CVE-2024-3165

Mitre link : CVE-2024-3165

CVE.ORG link : CVE-2024-3165

JSON object : View

Products Affected

No product.

CWE
CWE-522

Insufficiently Protected Credentials