CVE-2013-6384
First published: Sat Nov 23 2013(Updated: )
(1) impl_db2.py and (2) impl_mongodb.py in OpenStack Ceilometer 2013.2 and earlier, when the logging level is set to INFO, logs the connection string from ceilometer.conf, which allows local users to obtain sensitive information (the DB2 or MongoDB password) by reading the log file.
Credit: secalert@redhat.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| OpenStack Telemetry (Ceilometer) | >=2013.1<=2013.2 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is the severity of CVE-2013-6384?
CVE-2013-6384 is classified as a moderate severity vulnerability due to the exposure of sensitive database connection strings.
How do I fix CVE-2013-6384?
To fix CVE-2013-6384, update OpenStack Ceilometer to version 2013.2.1 or later and ensure logging is set to a level higher than INFO.
Who is affected by CVE-2013-6384?
OpenStack Ceilometer versions 2013.2 and earlier are affected by CVE-2013-6384.
What information is exposed by CVE-2013-6384?
CVE-2013-6384 exposes sensitive database connection strings, including passwords for DB2 or MongoDB, in log files.
Can local users exploit CVE-2013-6384?
Yes, local users can exploit CVE-2013-6384 by accessing log files to retrieve sensitive information.
- agent/type
- agent/softwarecombine
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- agent/weakness
- agent/references
- agent/author
- agent/severity
- agent/description
- agent/event
- agent/first-publish-date
- agent/source
- agent/tags
- collector/nvd-index
- agent/software-canonical-lookup-request
- vendor/openstack
- canonical/openstack telemetry (ceilometer)
- version/openstack telemetry (ceilometer)/2013.1
- version/openstack telemetry (ceilometer)/2013.2