CVE-2024-3165

CVSS V2 None CVSS V3 None

Description

System->Maintenance-> Log Files in dotCMS dashboard is providing the username/password for database connections in the log output. Nevertheless, this is a moderate issue as it requires a backend admin as well as that dbs are locked down by environment. OWASP Top 10 - A05) Insecure Design OWASP Top 10 - A05) Security Misconfiguration OWASP Top 10 - A09) Security Logging and Monitoring Failure

Overview

CVE ID
CVE-2024-3165

Assigner
dotCMS

Vulnerability Status
PUBLISHED

Published Version
2024-04-01T21:38:04.085Z

Last Modified Date
2024-04-01T21:38:04.085Z

Weakness Enumerations

CWE	URL
CWE-522	http://cwe.mitre.org/data/definitions/522.html

References

Reference URL	Reference Tags
https://auth.dotcms.com/security/SI-70?token=563ec927-3190-4478-bd77-0d6f8c6fc676
https://github.com/dotCMS/core/issues/27910
https://github.com/dotCMS/core/pull/28006

Sources

Source Name	Source URL
NIST	https://nvd.nist.gov/vuln/detail/CVE-2024-3165
MITRE	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-3165

History

Created	Old Value	New Value	Data Type	Notes
2024-06-23 23:13:04				Added to TrackCVE