| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-Id: <201406051800.s55I0bfW013394@sf01web2.securityfocus.com> Date: Thu, 5 Jun 2014 18:00:37 GMT From: tucu@...udera.com To: bugtraq@...urityfocus.com Subject: Details for CVE-2014-0220 ------------------------------------------------------------------------------------------ Technical Service Bulletin 2014-28 (TSB) Title: Security Vulnerability: Sensitive Configuration Values Exposed in Cloudera Manager Certain configuration values that are stored in Cloudera Manager are considered 'sensitive', such as database passwords. These configuration values are expected to be inaccessible to non-admin users, and this is enforced in the Cloudera Manager Admin Console. However, these configuration values are not redacted when reading them through the API, possibly making them accessible to users who should not have such access. Products affected: Cloudera Manager Releases affected: Cloudera Manager 4.8.2 and lower, Cloudera Manager 5.0.0 Users Affected: Cloudera Manager installations with non-admin users Date/time of detection: May 7, 2014 Severity: High Impact: Through the API only, non-admin users can access potentially sensitive configuration information CVE: CVE-2014-0220 Immediate action required: See the following knowledge base article: Security Vulnerability: Sensitive Configuration Values Exposed in Cloudera Manager ETA for resolution: May 13, 2014 Addressed in release/refresh/patch: Cloudera Manager 4.8.3 and 5.0.1 ------------------------------------------------------------------------------------------
Powered by blists - more mailing lists