CVE-2024-53865

Advisory

Affected versions of zhmcclient are vulnerable to Cleartext Storage of Sensitive Information (CWE-312). Sensitive information, such as passwords, was logged in clear text, potentially allowing unauthorized individuals with access to log files to obtain credentials. This vulnerability exists in the logging of API functions where password-like properties were not properly redacted. An attacker with access to the logs could exploit this to gain sensitive information. To mitigate, upgrade to the latest version where all sensitive properties are consistently masked in logs using the BLANKED_OUT_STRING mechanism.

Affected package

Affected versions

Fixed versions

Vulnerability changelog

This vulnerability has no description

Resources

• https://github.com/zhmcclient/python-zhmcclient/commit/ad32781e782d0f604c6da4680fce48e4cc1f4433
• https://github.com/advisories/GHSA-p57h-3cmc-xpjq
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-53865