8.2
CVSSv3

CVE-2024-53865

CVSSv4: NA | CVSSv3: 8.2 | CVSSv2: NA | VMScore: 920 | EPSS: 0.00043 | KEV: Not Included
Published: 29/11/2024 Updated: 29/11/2024

Vulnerability Summary

Sensitive Information Exposure in zhmcclient Log Files Prior to 1.18.1

The zhmcclient is a Python library for IBM Z HMC Web Services API. In some versions, the "zhmcclient" package writes passwords in plain text in its logs. This happens in these cases: 1. When creating or updating a partition in DPM mode, 'boot-ftp-password' and 'ssc-master-pw' appear in the logs. 2. When updating an LPAR in classic mode, 'ssc-master-pw' and 'zaware-master-pw' appear in the logs. 3. When creating or updating an image activation profile in classic mode, 'ssc-master-pw' and 'zaware-master-pw' appear in the logs. 4. When creating or updating an HMC user, the 'password' appears in the log. 5. When creating or updating an LDAP server definition, 'bind-password' appears in the logs. This affects users who have enabled the loggers "zhmcclient.api" or "zhmcclient.hmc" and use the listed functions. The issue is fixed in version 1.18.1. Users should upgrade. No workarounds are known for this vulnerability.