CVE-2014-3561
ovirt-engine-log-collector: database password disclosed in process listing
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
0Exploited in Wild
-Decision
Descriptions
The rhevm-log-collector package in Red Hat Enterprise Virtualization 3.4 uses the PostgreSQL database password on the command line when calling sosreport, which allows local users to obtain sensitive information by listing the processes.
El paquete rhevm-log-collector en Red Hat Enterprise Virtualization 3.4 utiliza la contraseña de la base de datos PostgreSQL en la línea de comandos cuando llama a sosreport, lo que permite a usuarios locales obtener información sensible mediante el listado de los procesos.
It was found that rhevm-log-collector called sosreport with the PostgreSQL database password passed as a command line parameter. A local attacker could read this password by monitoring a process listing. The password would also be written to a log file, which could potentially be read by a local attacker.
CVSS Scores
SSVC
- Decision:-
Timeline
- 2014-05-14 CVE Reserved
- 2014-12-03 CVE Published
- 2023-03-08 EPSS Updated
- 2024-08-06 CVE Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-200: Exposure of Sensitive Information to an Unauthorized Actor
- CWE-522: Insufficiently Protected Credentials
CAPEC
References (5)
URL | Tag | Source |
---|---|---|
http://www.securitytracker.com/id/1031291 | Vdb Entry | |
https://exchange.xforce.ibmcloud.com/vulnerabilities/99096 | Vdb Entry |
URL | Date | SRC |
---|
URL | Date | SRC |
---|
URL | Date | SRC |
---|---|---|
http://rhn.redhat.com/errata/RHSA-2014-1947.html | 2023-02-13 | |
https://access.redhat.com/security/cve/CVE-2014-3561 | 2014-12-02 | |
https://bugzilla.redhat.com/show_bug.cgi?id=1122781 | 2014-12-02 |
Affected Vendors, Products, and Versions
Vendor | Product | Version | Other | Status | ||||||
---|---|---|---|---|---|---|---|---|---|---|
Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
Redhat Search vendor "Redhat" | Enterprise Virtualization Search vendor "Redhat" for product "Enterprise Virtualization" | 3.4 Search vendor "Redhat" for product "Enterprise Virtualization" and version "3.4" | - |
Affected
|