#VU10961 Information disclosure in Sensu Core - CVE-2018-1000060

Cybersecurity Help s.r.o.

Published: 2018-03-13

Vulnerability identifier: #VU10961

Vulnerability risk: Low

CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2018-1000060

CWE-ID: CWE-522

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Sensu Core
Server applications / Frameworks for developing and running applications

Vendor: Sensu, Inc.

Description
The vulnerability allows a remote unauthenticated attacker to obtain potentially sensitive information on the target system.

The weakness exists in the Sensu::Utilities.redact_sensitive() function due to improper security restrictions. A remote attacker can gain access to potentially sensitive information, such as log file information and passwords.

Mitigation
Update to version 1.2.1 or later.

Vulnerable software versions

Sensu Core: 0.29 - 1.1

External links
https://github.com/sensu/sensu/issues/1804

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Red Hat update for sensu-core

Red Hat update for Sensu Core

Information disclosure in Sensu Core