CVE-2024-53865: 
Python vulnerability analysis and mitigation

The Python package 'zhmcclient', a client library for the IBM Z HMC Web Services API, contains a vulnerability (CVE-2024-53865) where password-like properties are written in clear text into its HMC and API logs. This vulnerability was discovered and disclosed on November 29, 2024, affecting versions prior to 1.18.1 (GitHub Advisory).

The vulnerability occurs when specific password-related properties are logged in clear text through the Python loggers named 'zhmcclient.api' and 'zhmcclient.hmc'. The affected properties include 'boot-ftp-password', 'ssc-master-pw', 'zaware-master-pw', 'password', and 'bind-password' during various operations such as partition creation/updates, LPAR updates, image activation profile modifications, HMC user management, and LDAP server definition configurations. The vulnerability has been assigned a CVSS v3.1 base score of 8.2 (HIGH) with vector: CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H (GitHub Advisory).

The exposure of password-like properties in clear text logs poses a significant security risk as it could lead to unauthorized access to sensitive systems and data. This vulnerability only affects users who have enabled the specific Python loggers and use the functions that handle these sensitive properties (GitHub Advisory).

The vulnerability has been fixed in zhmcclient version 1.18.1. Users are advised to upgrade to this version or later. There are no known workarounds for this vulnerability, making the upgrade the only effective mitigation strategy (GitHub Advisory).