CVE-2024-3165

System->Maintenance-> Log Files in dotCMS dashboard is providing the username/password for database connections in the log output. Nevertheless, this is a moderate issue as it requires a backend admin as well as that dbs are locked down by environment.

OWASP Top 10 - A05) Insecure Design

OWASP Top 10 - A05) Security Misconfiguration

OWASP Top 10 - A09) Security Logging and Monitoring Failure

Published: Apr 2, 2024
Updated: Jul 26, 2024
CVE: CVE-2024-3165
Exploit:

No technical information available.

No CWE or OWASP classifications available.

Affected Software
References

Software	From	Fixed in
dotcms / dotcms	23.10.24-2	23.10.24-2.x
dotcms / dotcms	23.10.24-3	23.10.24-3.x
dotcms / dotcms	23.10.24-4	23.10.24-4.x
dotcms / dotcms	23.10.24-5	23.10.24-5.x
dotcms / dotcms	23.10.24-6	23.10.24-6.x
dotcms / dotcms	23.10.24-7	23.10.24-7.x
dotcms / dotcms	23.10.24-1	23.10.24-1.x
dotcms / dotcms	22.02	22.03.15
dotcms / dotcms	23.01	23.01.15
dotcms / dotcms	23.02	23.09.7.x

https://auth.dotcms.com/security/SI-70
https://auth.dotcms.com/security/SI-70?token=563ec927-3190-4478-bd77-0d6f8c6fc676
https://github.com/dotCMS/core/issues/27910
https://github.com/dotCMS/core/pull/28006
https://www.dotcms.com/security/SI-70

Vulnerability Database

CVE-2024-3165

Deep Security Visibility Without the Complexity