CVE-2023-34097

Published: Jun 5, 2023Modified: Nov 21, 2024

8.8

Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Exploitability: 2.8 / Impact: 5.9

Source: NVD

Description

hoppscotch is an open source API development ecosystem. In versions prior to 2023.4.5 the database password is exposed in the logs when showing the database connection string. Attackers with access to read system logs will be able to elevate privilege with full access to the database. Users are advised to upgrade. There are no known workarounds for this vulnerability.

Affected (1)

Products: Hoppscotch: Hoppscotch

1 product

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Hoppscotch Hoppscotch	Before 2023.4.5

Related CWEs

Insertion of Sensitive Information into Log File

Information written to log files can be of a sensitive nature and give valuable guidance to an attacker or expose sensitive user information.

References (4)

https://github.com/hoppscotch/hoppscotch/commit/15424903ede20b155d764abf4c4f7c2c84c11247

Source: security-advisories@github.com

Patch

https://github.com/hoppscotch/hoppscotch/security/advisories/GHSA-qpx8-wq6q-r833

Source: security-advisories@github.com

ExploitVendor Advisory

https://github.com/hoppscotch/hoppscotch/commit/15424903ede20b155d764abf4c4f7c2c84c11247

Source: af854a3a-2127-422b-91ae-364da2661108

Patch

https://github.com/hoppscotch/hoppscotch/security/advisories/GHSA-qpx8-wq6q-r833

Source: af854a3a-2127-422b-91ae-364da2661108

ExploitVendor Advisory

Timeline

No history available yet.