CVE-2024-11193 Vulnerability Details

  /     /     /  

CVE-2024-11193 Metadata Quick Info

CVE Published: 13/11/2024 | CVE Updated: 14/11/2024 | CVE Year: 2024
Source: Yugabyte | Vendor: YugabyteDB | Product: YugabyteDB Anywhere
Status : PUBLISHED

CVE-2024-11193 Description

An information disclosure vulnerability exists in Yugabyte Anywhere, where the LDAP bind password is logged in plaintext within application logs. This flaw results in the unintentional exposure of sensitive information in Yugabyte Anywhere logs, potentially allowing unauthorized users with access to these logs to view the LDAP bind password. An attacker with log access could exploit this vulnerability to gain unauthorized access to the LDAP server, leading to potential exposure or compromise of LDAP-managed resources This issue affects YugabyteDB Anywhere: from 2.20.0.0 before 2.20.7.0, from 2.23.0.0 before 2.23.1.0, from 2024.1.0.0 before 2024.1.3.0.

Metrics

CVSS Version: 3.1 | Base Score: n/a
Vector: n/a

l➤ Exploitability Metrics:
    Attack Vector (AV)*
    Attack Complexity (AC)*
    Privileges Required (PR)*
    User Interaction (UI)*
    Scope (S)*

l➤ Impact Metrics:
    Confidentiality Impact (C)*
    Integrity Impact (I)*
    Availability Impact (A)*

Weakness Enumeration (CWE)

CWE-ID: CWE-532
CWE Name: CWE-532: Information Exposure Through Log Files
Source: YugabyteDB

Common Attack Pattern Enumeration and Classification (CAPEC)

CAPEC-ID: CAPEC-118
CAPEC Description: CAPEC-118: Data Interception