oss-sec mailing list archives
CVE request for vulnerability in OpenStack Cinder, Nova and Trove
From: Tristan Cacqueray <tristan.cacqueray () enovance com>
Date: Mon, 29 Sep 2014 17:04:50 -0400
A vulnerability was discovered in OpenStack (see below). In order to ensure full traceability, we need a CVE number assigned that we can attach to further notifications. This issue is already public, although an advisory was not sent yet. Title: Potential leak of passwords into log files Reporter: Amrith Kumar (Tesora) Products: Cinder, Nova, Trove Versions: up to 2013.2.3, 2014.1 versions up to 2014.1.2 Description: Amrith Kumar from Tesora reported two vulnerabilities in the processutils.execute() and strutils.mask_password() functions available from oslo-incubator that are copied into each project's code. An attacker with read access to the services' logs may obtain passwords used as a parameter of a command that have failed or when the mask_password did not mask passwords properly. References: https://launchpad.net/bugs/1343604 https://launchpad.net/bugs/1345233 Thanks in advance, -- Tristan Cacqueray OpenStack Vulnerability Management Team
Attachment:
signature.asc
Description: OpenPGP digital signature
Current thread:
- CVE request for vulnerability in OpenStack Cinder, Nova and Trove Tristan Cacqueray (Sep 29)
- Re: CVE request for vulnerability in OpenStack Cinder, Nova and Trove cve-assign (Sep 29)