CVE-2024-3165

EUVD-2024-31762
System->Maintenance-> Log Files in dotCMS dashboard is providing the username/password for database connections in the log output. Nevertheless, this is a moderate issue as it requires a backend admin as well as that dbs are locked down by environment.  

OWASP Top 10 - A05) Insecure Design

OWASP Top 10 - A05) Security Misconfiguration

OWASP Top 10 - A09) Security Logging and Monitoring Failure
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
4.5 MEDIUM
NETWORK
LOW
HIGH
CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:N/A:N
dotCMSCNA
4.5 MEDIUM
NETWORK
LOW
HIGH
CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:N/A:N
Base Score
CVSS 3.x
EPSS Score
Percentile: 36%
Affected Products (NVD)
VendorProductVersion
dotcmsdotcms
22.02 ≤
𝑥
< 22.03.15
dotcmsdotcms
23.01 ≤
𝑥
< 23.01.15
dotcmsdotcms
23.02 ≤
𝑥
≤ 23.09.7
dotcmsdotcms
23.10.24:1
dotcmsdotcms
23.10.24:2
dotcmsdotcms
23.10.24:3
dotcmsdotcms
23.10.24:4
dotcmsdotcms
23.10.24:5
dotcmsdotcms
23.10.24:6
dotcmsdotcms
23.10.24:7
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
https://github.com/dotCMS/core/issues/27910
https://github.com/dotCMS/core/pull/28006
https://www.dotcms.com/security/SI-70
https://github.com/dotCMS/core/issues/27910
https://github.com/dotCMS/core/pull/28006
https://www.dotcms.com/security/SI-70