CVE-2012-5616

medium

Description

Apache CloudStack 4.0.0-incubating and Citrix CloudPlatform (formerly Citrix CloudStack) before 3.0.6 stores sensitive information in the log4j.conf log file, which allows local users to obtain (1) the SSH private key as recorded by the createSSHKeyPair API, (2) the password of an added host as recorded by the AddHost API, or the password of an added VM as recorded by the (3) DeployVM or (4) ResetPasswordForVM API.

References

http://www.securitytracker.com/id?1027978

http://www.securityfocus.com/bid/57259

http://www.securityfocus.com/bid/57225

http://support.citrix.com/article/CTX136163

http://secunia.com/advisories/51827

http://secunia.com/advisories/51821

http://secunia.com/advisories/51366

http://seclists.org/fulldisclosure/2013/Jan/65

http://osvdb.org/89147

http://osvdb.org/89146

http://osvdb.org/89070

http://mail-archives.apache.org/mod_mbox/incubator-cloudstack-users/201301.mbox/%3C1BD2169F-BBFE-4E27-B50F-F17D7D08B565%40stratosec.co%3E

Details

Source: Mitre, NVD

Published: 2013-01-22

Updated: 2026-06-16

Risk Information

CVSS v2

Base Score: 1.5

Vector: CVSS2#AV:L/AC:M/Au:S/C:P/I:N/A:N

Severity: Low

CVSS v3

Base Score: 5.5

Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Severity: Medium

EPSS

EPSS: 0.0015