CVE Vulnerability

CVE-2018-1000060

Sensu, Inc. Sensu Core version Before 1.2.0 & before commit 46ff10023e8cbf1b6978838f47c51b20b98fe30b contains a CWE-522 vulnerability in Sensu::Utilities.redact_sensitive() that can result in sensitive configuration data (e.g. passwords) may be logged in clear-text. This attack appear to be exploitable via victims with configuration matching a specific pattern will observe sensitive data outputted in their service log files. This vulnerability appears to have been fixed in 1.2.1 and later, after commit 46ff10023e8cbf1b6978838f47c51b20b98fe30b.

5 /10

CVSS v2.0 :

V3 Legend

Vector :

Exploitability : 10 / Impact : 2.9

Attack Vector

Attack Complexity

Privileges Required

User Interaction

Confidentiality Impact PARTIAL

Integrity Impact NONE

Availability Impact NONE

Scope

9.8 /10

CVSS v3.0 : CRITICAL

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References
Link Resource
https://github.com/sensu/sensu/pull/1810 Issue Tracking Patch
https://github.com/sensu/sensu/issues/1804 Issue Tracking Vendor Advisory
https://access.redhat.com/errata/RHSA-2018:0616 Third Party Advisory
https://access.redhat.com/errata/RHSA-2018:1112 Third Party Advisory
https://access.redhat.com/errata/RHSA-2018:1606 Third Party Advisory
Configurations

Configuration 1

cpe:2.3:a:sensu:sensu_core:*:*:*:*:*:*:*:*
Information

Published : 2018-02-09 11:29

Updated : 2019-10-03 12:03

NVD link : CVE-2018-1000060

Mitre link : CVE-2018-1000060

Products Affected
No products.
CWE
CWE-532

Insertion of Sensitive Information into Log File