4.5

CVE-2024-3165

Database Credential Exposure in the Logs

System->Maintenance-> Log Files in dotCMS dashboard is providing the username/password for database connections in the log output. Nevertheless, this is a moderate issue as it requires a backend admin as well as that dbs are locked down by environment.  

OWASP Top 10 - A05) Insecure Design

OWASP Top 10 - A05) Security Misconfiguration

OWASP Top 10 - A09) Security Logging and Monitoring Failure
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
DotcmsDotcms Version >= 22.02 < 22.03.15
DotcmsDotcms Version >= 23.01 < 23.01.15
DotcmsDotcms Version >= 23.02 <= 23.09.7
DotcmsDotcms Version23.10.24 Update1 SwEditionlts
DotcmsDotcms Version23.10.24 Update2 SwEditionlts
DotcmsDotcms Version23.10.24 Update3 SwEditionlts
DotcmsDotcms Version23.10.24 Update4 SwEditionlts
DotcmsDotcms Version23.10.24 Update5 SwEditionlts
DotcmsDotcms Version23.10.24 Update6 SwEditionlts
DotcmsDotcms Version23.10.24 Update7 SwEditionlts
VulnDex Vulnerability Enrichment
Diese Information steht angemeldeten Benutzern zur Verfügung. Login Login
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 0.5% 0.385
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
security@dotcms.com 4.5 0.9 3.6
CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:N/A:N
CWE-532 Insertion of Sensitive Information into Log File

The product writes sensitive information to a log file.

https://github.com/dotCMS/core/issues/27910
Issue Tracking
https://github.com/dotCMS/core/pull/28006
Issue Tracking
https://www.dotcms.com/security/SI-70
Broken Link