CVE-2024-53865
Vulnerability Scoring
Attack Complexity Details
- Attack Complexity: Low Impact
- Attack Vector: LOCAL
- Privileges Required: HIGH IMPACT
- Scope: CHANGED
- User Interaction: NONE
CIA Impact Definition
- Confidentiality: HIGH IMPACT
- Integrity: HIGH IMPACT
- Availability: HIGH IMPACT
CVE-2024-53865 Vulnerability Summary
zhmcclient is a pure Python client library for the IBM Z HMC Web Services API. In affected versions the Python package "zhmcclient" writes password-like properties in clear text into its HMC and API logs in the following cases: 1. The 'boot-ftp-password' and 'ssc-master-pw' properties when creating or updating a partition in DPM mode, in the zhmcclient API and HMC logs. 2. The 'ssc-master-pw' and 'zaware-master-pw' properties when updating an LPAR in classic mode, in the zhmcclient API and HMC logs. 3. The 'ssc-master-pw' and 'zaware-master-pw' properties when creating or updating an image activation profile in classic mode, in the zhmcclient API and HMC logs. 4. The 'password' property when creating or updating an HMC user, in the zhmcclient API log. 5. The 'bind-password' property when creating or updating an LDAP server definition, in the zhmcclient API and HMC logs. This issue affects only users of the zhmcclient package that have enabled the Python loggers named "zhmcclient.api" (for the API log) or "zhmcclient.hmc" (for the HMC log) and that use the functions listed above. This issue has been fixed in zhmcclient version 1.18.1. Users are advised to upgrade. There are no known workarounds for this vulnerability.
Need help fixing CVEs? Check out our Step-by-Step Guide on How to Fix CVEs.
Access Complexity Graph for CVE-2024-53865
Impact Analysis for CVE-2024-53865
CVE-2024-53865: Detailed Information and External References
EPSS
0.00043
EPSS %
0.10929
References
0.00043
- https://github.com/zhmcclient/python-zhmcclient/commit/ad32781e782d0f604c6da4680fce48e4cc1f4433
- https://github.com/zhmcclient/python-zhmcclient/security/advisories/GHSA-p57h-3cmc-xpjq
CWE
CWE-312
CAPEC
0.00043
- Retrieve Embedded Sensitive Data: An attacker examines a target system to find sensitive data that has been embedded within it. This information can reveal confidential contents, such as account numbers or individual keys/credentials that can be used as an intermediate step in a larger attack.
CVSS3 Source
security-advisories@github.com
CVSS3 Type
Secondary
CVSS3 Vector
CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
Protect Your Infrastructure: Combat Critical CVE Threats
Stay updated with real-time CVE vulnerabilities and take action to secure your systems. Enhance your cybersecurity posture with the latest threat intelligence and mitigation techniques. Develop the skills necessary to defend against CVEs and secure critical infrastructures. Join the top cybersecurity professionals safeguarding today's infrastructures.