Information disclosure in Redhat Enterprise_virtualization

CVE-2014-3561

The rhevm-log-collector package in Red Hat Enterprise Virtualization 3.4 uses the PostgreSQL database password on the command line when calling sosreport, which allows local users to obtain sensitive information by listing the processes.

Vulnerability class: Information Disclosure

EPSS: 0.001 (19.2th percentile) — read the EPSS interpretation.

Affected products

Redhat Enterprise_virtualization — versions 3.4
N/a — versions n/a

Weakness classification (CWE)

CWE-200 — Information Disclosure

References

rhevm-log-collector-info-disc(99096) (vdb-entry, x_refsource_XF)
1031291 (vdb-entry, x_refsource_SECTRACK)
RHSA-2014:1947 (x_refsource_REDHAT, vendor-advisory, Vendor Advisory)