Advisory ID: | Q-PSA-2022-02 |
CVE ID: | CVE-2022-29550 |
Published: | 2022-08-15 |
Last Update: | 2022-08-15 |
CWE: | CWE-312, CWE-200 |
NVD Risk Rating | Qualys Risk Rating | |
CVSSv3.1 Score | 5.5, Medium | Unchanged |
CVSSv3.1 Vector (Base) | AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H | Unchanged |
Qualys Cloud Agent for Linux writes the output of the ps auxwwe command to the /var/log/qualys/qualys-cloud-agent-scan.log file when the logging level is configured to trace. While this level of logging is often required by customers for troubleshooting, customer credentials or other secrets could be unexpectedly written to the Qualys logs from environment variables if set by the customer.
Qualys Cloud Agent for Linux default logging level set to Informational. At this logging level, the output from the ps auxwwe is not written to the qualys-cloud-agent-scan.log. Qualys documentation updated to support customer decision-making on appropriate logging levels and related security considerations.
Qualys Cloud Agent for Linux
Not applicable
Please provide links to release notes and documentation updates
Unqork Security Team (Justin Borland , Daniel Wood , David Heise , Bryan Li)