8.3

CVSS Score

3.1

-

CVSS Score

Basic Information

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2024-53865

CVE-2024-53865: Python package "zhmcclient" stores passwords in clear text in its HMC and API logs

Impact

The Python package "zhmcclient" writes password-like properties in clear text into its HMC and API logs in the following cases:

The 'boot-ftp-password' and 'ssc-master-pw' properties when creating or updating a partition in DPM mode, in the zhmcclient API and HMC logs
The 'ssc-master-pw' and 'zaware-master-pw' properties when updating an LPAR in classic mode, in the zhmcclient API and HMC logs
The 'ssc-master-pw' and 'zaware-master-pw' properties when creating or updating an image activation profile in classic mode, in the zhmcclient API and HMC logs
The 'password' property when creating or updating an HMC user, in the zhmcclient API log
The 'bind-password' property when creating or updating an LDAP server definition, in the zhmcclient API and HMC logs

This issue affects only users of the zhmcclient package that have enabled the Python loggers named "zhmcclient.api" (for the API log) or "zhmcclient.hmc" (for the HMC log) and that use the functions listed above.

Patches

Has been fixed in zhmcclient version 1.18.1

Workarounds

Not applicable, since fix is available.

References

None

(GitHub Advisory)

Miggo Vulnerability Database

→

CVE-2024-53865

CVE-2024-53865:

8.3

CVSS Score

3.1

-

CVSS Score

Basic Information

Technical Details

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
zhmcclient	pip	< 1.18.1	1.18.1

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from functions handling sensitive properties without proper logging redaction. The commit diff shows these functions were modified to add @logged_api_call decorators with 'blanked_properties' parameters, explicitly addressing the password fields mentioned in CVE-2024-53865. Each function corresponds to one of the vulnerable scenarios described (partition/LPAR/user creation/update operations with password-like properties). The high confidence comes from direct correlation between patched functions and vulnerability descriptions in advisory materials.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

8.3

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2024-53865: Python package "zhmcclient" stores passwords in clear text in its HMC and API logs

Impact

Patches

Workarounds

References

CVE-2024-53865:

8.3

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

CVE-2024-53865: Python package "zhmcclient" stores passwords in clear text in its HMC and API logs

Impact

Patches

Workarounds

References

Technical Details

8.3

8.3

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Basic Information

Basic Information

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI