CVE-2024-3165

System->Maintenance-> Log Files in dotCMS dashboard is providing the username/password for database connections in the log output. Nevertheless, this is a moderate issue as it requires a backend admin as well as that dbs are locked down by environment. OWASP Top 10 - A05) Insecure Design OWASP Top 10 - A05) Security Misconfiguration OWASP Top 10 - A09) Security Logging and Monitoring Failure

CVSS v3 4.5 MEDIUM

4.5^/10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 0.9 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required HIGH

User Interaction REQUIRED

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://github.com/dotCMS/core/issues/27910	Issue Tracking
https://github.com/dotCMS/core/pull/28006	Issue Tracking
https://www.dotcms.com/security/SI-70	Broken Link
https://github.com/dotCMS/core/issues/27910	Issue Tracking
https://github.com/dotCMS/core/pull/28006	Issue Tracking
https://www.dotcms.com/security/SI-70	Broken Link

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:dotcms:dotcms::::::::
	cpe:2.3:a:dotcms:dotcms::::::::
	cpe:2.3:a:dotcms:dotcms::::::::
	cpe:2.3:a:dotcms:dotcms:23.10.24:1:::lts:::*
	cpe:2.3:a:dotcms:dotcms:23.10.24:2:::lts:::*
	cpe:2.3:a:dotcms:dotcms:23.10.24:3:::lts:::*
	cpe:2.3:a:dotcms:dotcms:23.10.24:4:::lts:::*
	cpe:2.3:a:dotcms:dotcms:23.10.24:5:::lts:::*
	cpe:2.3:a:dotcms:dotcms:23.10.24:6:::lts:::*
	cpe:2.3:a:dotcms:dotcms:23.10.24:7:::lts:::*

History

27 Jun 2025, 14:06

Type	Values Removed	Values Added
CPE		cpe:2.3:a:dotcms:dotcms:23.10.24:2:::lts:::* cpe:2.3:a:dotcms:dotcms:23.10.24:3:::lts:::* cpe:2.3:a:dotcms:dotcms:23.10.24:1:::lts:::* cpe:2.3:a:dotcms:dotcms:::::::: cpe:2.3:a:dotcms:dotcms:23.10.24:6:::lts:::* cpe:2.3:a:dotcms:dotcms:23.10.24:4:::lts:::* cpe:2.3:a:dotcms:dotcms:23.10.24:7:::lts:::* cpe:2.3:a:dotcms:dotcms:23.10.24:5:::lts:::*
References	~~() https://github.com/dotCMS/core/issues/27910 -~~	() https://github.com/dotCMS/core/issues/27910 - Issue Tracking
References	~~() https://github.com/dotCMS/core/pull/28006 -~~	() https://github.com/dotCMS/core/pull/28006 - Issue Tracking
References	~~() https://www.dotcms.com/security/SI-70 -~~	() https://www.dotcms.com/security/SI-70 - Broken Link
First Time		Dotcms dotcms Dotcms

21 Nov 2024, 09:29

Type	Values Removed	Values Added
References	~~() https://github.com/dotCMS/core/issues/27910 -~~	() https://github.com/dotCMS/core/issues/27910 -
References	~~() https://github.com/dotCMS/core/pull/28006 -~~	() https://github.com/dotCMS/core/pull/28006 -
References	~~() https://www.dotcms.com/security/SI-70 -~~	() https://www.dotcms.com/security/SI-70 -

30 Sep 2024, 16:15

Type	Values Removed	Values Added
CWE	~~CWE-522~~	CWE-532

26 Jul 2024, 14:15

Type	Values Removed	Values Added
References	~~{'url': 'https://auth.dotcms.com/security/SI-70', 'source': 'security@dotcms.com'}~~	() https://www.dotcms.com/security/SI-70 -

25 Jul 2024, 21:15

Type	Values Removed	Values Added
Summary	(en) System->Maintenance-> Log Files in dotCMS dashboard is providing the username/password for database connections in the log output. Nevertheless, this is a moderate issue as it requires a backend admin as well as that dbs are locked down by environment. OWASP Top 10 - A05) Insecure Design OWASP Top 10 - A05) Security Misconfiguration OWASP Top 10 - A09) Security Logging and Monitoring Failure	(en) System->Maintenance-> Log Files in dotCMS dashboard is providing the username/password for database connections in the log output. Nevertheless, this is a moderate issue as it requires a backend admin as well as that dbs are locked down by environment. OWASP Top 10 - A05) Insecure Design OWASP Top 10 - A05) Security Misconfiguration OWASP Top 10 - A09) Security Logging and Monitoring Failure
References	~~{'url': 'https://auth.dotcms.com/security/SI-70?token=563ec927-3190-4478-bd77-0d6f8c6fc676', 'source': 'security@dotcms.com'}~~	() https://auth.dotcms.com/security/SI-70 -

02 Apr 2024, 12:50

Type	Values Removed	Values Added
Summary		(es) System->Maintenance-> Log Files en el panel de dotCMS proporciona el nombre de usuario/contraseña para las conexiones de la base de datos en la salida del registro. Sin embargo, este es un problema moderado, ya que requiere un administrador de backend y que las bases de datos estén bloqueadas por el entorno. OWASP Top 10 - A05) Diseño inseguro OWASP Top 10 - A05) Configuración incorrecta de seguridad OWASP Top 10 - A09) Fallo de registro y monitoreo de seguridad

01 Apr 2024, 22:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2024-04-01 22:15

Updated : 2025-06-27 14:06

NVD link : CVE-2024-3165

Mitre link : CVE-2024-3165

CVE.ORG link : CVE-2024-3165

JSON object : View

Products Affected

dotcms

dotcms

CWE

CWE-532

Insertion of Sensitive Information into Log File

4.5 /10