- Description
- zhmcclient is a pure Python client library for the IBM Z HMC Web Services API. In affected versions the Python package "zhmcclient" writes password-like properties in clear text into its HMC and API logs in the following cases: 1. The 'boot-ftp-password' and 'ssc-master-pw' properties when creating or updating a partition in DPM mode, in the zhmcclient API and HMC logs. 2. The 'ssc-master-pw' and 'zaware-master-pw' properties when updating an LPAR in classic mode, in the zhmcclient API and HMC logs. 3. The 'ssc-master-pw' and 'zaware-master-pw' properties when creating or updating an image activation profile in classic mode, in the zhmcclient API and HMC logs. 4. The 'password' property when creating or updating an HMC user, in the zhmcclient API log. 5. The 'bind-password' property when creating or updating an LDAP server definition, in the zhmcclient API and HMC logs. This issue affects only users of the zhmcclient package that have enabled the Python loggers named "zhmcclient.api" (for the API log) or "zhmcclient.hmc" (for the HMC log) and that use the functions listed above. This issue has been fixed in zhmcclient version 1.18.1. Users are advised to upgrade. There are no known workarounds for this vulnerability.
- Source
- security-advisories@github.com
- NVD status
- Received
CVSS 3.1
- Type
- Secondary
- Base score
- 8.2
- Impact score
- 6
- Exploitability score
- 1.5
- Vector string
- CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
- Severity
- HIGH
- security-advisories@github.com
- CWE-312
- Hype score
- Not currently trending
یک آسیبپذیری با شناسه CVE-2024-53865 و شدت 8.2 (بالا) کتابخانه zhmcclient پایتون در IBM Z HMC Web Services API کشف شده است. این آسیبپذیری به دلیل نحوه مدیریت نادرست بر اطلاعات حساس (رمزهای عبور) و ذخیره آنها به صورت متن ساده (Clear Text) درلاگگذاری رخ میدهد. https://t.co/EPa
@cybernetic_cy
2 Dec 2024
55 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
CVE Alert: CVE-2024-53865 - https://t.co/f3QQEBe6Y3 #OSINT #ThreatIntel #CyberSecurity #cve_2024_53865
@RedPacketSec
30 Nov 2024
72 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
CVE-2024-53865 Sensitive Information Exposure in zhmcclient Log Files Prior to 1.18.1 The zhmcclient is a Python library for IBM Z HMC Web Services API. In some versions, the "zhmcclient" package writes passwords... https://t.co/7F79sMQwD6
@VulmonFeeds
30 Nov 2024
53 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
یک آسیبپذیری با شناسه CVE-2024-53865 و شدت 8.2 (بالا) کتابخانه zhmcclient پایتون در IBM Z HMC Web Services API کشف شده است این آسیبپذیری به دلیل نحوه مدیریت نادرست بر اطلاعات حساس (رمزهای عبور) و ذخیره آن ها به صورت متن ساده (Clear Text) درلاگگذاری رخ میدهد.
@cybernetic_cy
30 Nov 2024
39 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
🚨 CVE-2024-53865: python-zhmcclient up to 1.18.0 vulnerable to cleartext storage in HMC Web Service API. Upgrade immediately to mitigate risks of sensitive data exposure. #CyberSecurity #SecureCodeMatters
@oktsec
29 Nov 2024
27 Impressions
0 Retweets
0 Likes
0 Bookmarks
4 Replies
0 Quotes
CVE-2024-53865 zhmcclient is a pure Python client library for the IBM Z HMC Web Services API. In affected versions the Python package "zhmcclient" writes password-like properties in… https://t.co/5Ja1Z5tBFc
@CVEnew
29 Nov 2024
452 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
[CVE-2024-53865: HIGH] Vulnerability alert: python package "zhmcclient" writes password-like properties in clear text into logs. Update to version 1.18.1 to fix the issue. #CyberSecurity #InfoSec#cybersecurity,#vulnerability https://t.co/3kG7sL4vsE https://t.co/ZwRHaARq4g
@CveFindCom
29 Nov 2024
26 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes