CVE-2024-3165

System->Maintenance-> Log Files in dotCMS dashboard is providing the username/password for database connections in the log output. Nevertheless, this is a moderate issue as it requires a backend admin as well as that dbs are locked down by environment. OWASP Top 10 - A05) Insecure Design OWASP Top 10 - A05) Security Misconfiguration OWASP Top 10 - A09) Security Logging and Monitoring Failure

CVSS v3 4.5 MEDIUM

4.5^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 0.9 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required HIGH

User Interaction REQUIRED

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://github.com/dotCMS/core/issues/27910	Issue Tracking
https://github.com/dotCMS/core/pull/28006	Issue Tracking
https://www.dotcms.com/security/SI-70	Broken Link
https://github.com/dotCMS/core/issues/27910	Issue Tracking
https://github.com/dotCMS/core/pull/28006	Issue Tracking
https://www.dotcms.com/security/SI-70	Broken Link

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:dotcms:dotcms::::::::
	cpe:2.3:a:dotcms:dotcms::::::::
	cpe:2.3:a:dotcms:dotcms::::::::
	cpe:2.3:a:dotcms:dotcms:23.10.24:1:::lts:::*
	cpe:2.3:a:dotcms:dotcms:23.10.24:2:::lts:::*
	cpe:2.3:a:dotcms:dotcms:23.10.24:3:::lts:::*
	cpe:2.3:a:dotcms:dotcms:23.10.24:4:::lts:::*
	cpe:2.3:a:dotcms:dotcms:23.10.24:5:::lts:::*
	cpe:2.3:a:dotcms:dotcms:23.10.24:6:::lts:::*
	cpe:2.3:a:dotcms:dotcms:23.10.24:7:::lts:::*

History

No history.

Information

Published : 2024-04-01 22:15

Updated : 2025-06-27 14:06

NVD link : CVE-2024-3165

Mitre link : CVE-2024-3165

CVE.ORG link : CVE-2024-3165

JSON object : View

Products Affected

dotcms

dotcms

CWE

CWE-532

Insertion of Sensitive Information into Log File

{"id": "CVE-2024-3165", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "[email protected]", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "HIGH", "confidentialityImpact": "HIGH"}, "impactScore": 3.6, "exploitabilityScore": 0.9}]}, "published": "2024-04-01T22:15:23.080", "references": [{"url": "https://github.com/dotCMS/core/issues/27910", "tags": ["Issue Tracking"], "source": "[email protected]"}, {"url": "https://github.com/dotCMS/core/pull/28006", "tags": ["Issue Tracking"], "source": "[email protected]"}, {"url": "https://www.dotcms.com/security/SI-70", "tags": ["Broken Link"], "source": "[email protected]"}, {"url": "https://github.com/dotCMS/core/issues/27910", "tags": ["Issue Tracking"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://github.com/dotCMS/core/pull/28006", "tags": ["Issue Tracking"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://www.dotcms.com/security/SI-70", "tags": ["Broken Link"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "[email protected]", "description": [{"lang": "en", "value": "CWE-532"}]}], "descriptions": [{"lang": "en", "value": "System->Maintenance-> Log Files in dotCMS dashboard is providing the username/password for database connections in the log output. Nevertheless, this is a moderate issue as it requires a backend admin as well as that dbs are locked down by environment. \u00a0\n\nOWASP Top 10 - A05) Insecure Design\n\nOWASP Top 10 - A05) Security Misconfiguration\n\nOWASP Top 10 - A09) Security Logging and Monitoring Failure"}, {"lang": "es", "value": "System->Maintenance-> Log Files en el panel de dotCMS proporciona el nombre de usuario/contrase\u00f1a para las conexiones de la base de datos en la salida del registro. Sin embargo, este es un problema moderado, ya que requiere un administrador de backend y que las bases de datos est\u00e9n bloqueadas por el entorno. OWASP Top 10 - A05) Dise\u00f1o inseguro OWASP Top 10 - A05) Configuraci\u00f3n incorrecta de seguridad OWASP Top 10 - A09) Fallo de registro y monitoreo de seguridad"}], "lastModified": "2025-06-27T14:06:33.077", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:dotcms:dotcms:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "B8156D65-B011-4B9A-BF2E-F7F3CCFA8BD7", "versionEndExcluding": "22.03.15", "versionStartIncluding": "22.02"}, {"criteria": "cpe:2.3:a:dotcms:dotcms:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "4513A2EB-037F-4037-B4F7-44B8AECB407A", "versionEndExcluding": "23.01.15", "versionStartIncluding": "23.01"}, {"criteria": "cpe:2.3:a:dotcms:dotcms:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "E85B4224-34E8-47CD-8F08-8B129868AF1F", "versionEndIncluding": "23.09.7", "versionStartIncluding": "23.02"}, {"criteria": "cpe:2.3:a:dotcms:dotcms:23.10.24:1:*:*:lts:*:*:*", "vulnerable": true, "matchCriteriaId": "33DBCA2A-D4E2-4AE6-B6E0-FD0A277266F4"}, {"criteria": "cpe:2.3:a:dotcms:dotcms:23.10.24:2:*:*:lts:*:*:*", "vulnerable": true, "matchCriteriaId": "342C11DD-7760-42AE-8670-4461ECB51E4C"}, {"criteria": "cpe:2.3:a:dotcms:dotcms:23.10.24:3:*:*:lts:*:*:*", "vulnerable": true, "matchCriteriaId": "90B73A81-7202-4B0B-822B-4F2EE4480663"}, {"criteria": "cpe:2.3:a:dotcms:dotcms:23.10.24:4:*:*:lts:*:*:*", "vulnerable": true, "matchCriteriaId": "0BFA7220-B846-451B-A7B2-C3DC87767575"}, {"criteria": "cpe:2.3:a:dotcms:dotcms:23.10.24:5:*:*:lts:*:*:*", "vulnerable": true, "matchCriteriaId": "258813CA-66A7-4DCA-883D-884FB88430DC"}, {"criteria": "cpe:2.3:a:dotcms:dotcms:23.10.24:6:*:*:lts:*:*:*", "vulnerable": true, "matchCriteriaId": "E69C8B72-A38C-4D97-83BB-DCE392D3ABD0"}, {"criteria": "cpe:2.3:a:dotcms:dotcms:23.10.24:7:*:*:lts:*:*:*", "vulnerable": true, "matchCriteriaId": "B5309F19-2D65-4E87-87FD-2A0294008FF5"}], "operator": "OR"}]}], "sourceIdentifier": "[email protected]"}