CVE Vulnerabilities

CVE-2019-18244

Insertion of Sensitive Information into Log File

Published: Jan 15, 2020 | Modified: Jul 25, 2020
CVSS 3.x
4.7
MEDIUM
Source:
NVD
CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N
CVSS 2.x
1.9 LOW
AV:L/AC:M/Au:N/C:P/I:N/A:N
RedHat/V2
RedHat/V3
Ubuntu

In OSIsoft PI System multiple products and versions, a local attacker could view sensitive information in log files when service accounts are customized during installation or upgrade of PI Vision. The update fixes a previously reported issue.

Weakness

Information written to log files can be of a sensitive nature and give valuable guidance to an attacker or expose sensitive user information.

Affected Software

Name Vendor Start Version End Version
Pi_vision Osisoft 2017-r2 (including) 2017-r2 (including)
Pi_vision Osisoft 2017-r2_sp1 (including) 2017-r2_sp1 (including)
Pi_vision Osisoft 2019 (including) 2019 (including)

Extended Description

While logging all information may be helpful during development stages, it is important that logging levels be set appropriately before a product ships so that sensitive user data and system information are not accidentally exposed to potential attackers. Different log files may be produced and stored for:

Potential Mitigations

References