CVE request for vulnerability in OpenStack Cinder, Nova and Trove

[Tristan Cacqueray <tristan.cacqueray () enovance com>]

A vulnerability was discovered in OpenStack (see below). In order to
ensure full traceability, we need a CVE number assigned that we can
attach to further notifications. This issue is already public, although
an advisory was not sent yet.

Title: Potential leak of passwords into log files
Reporter: Amrith Kumar (Tesora)
Products: Cinder, Nova, Trove
Versions: up to 2013.2.3, 2014.1 versions up to 2014.1.2

Description:
Amrith Kumar from Tesora reported two vulnerabilities in the
processutils.execute() and strutils.mask_password() functions available
from oslo-incubator that are copied into each project's code. An
attacker with read access to the services' logs may obtain passwords
used as a parameter of a command that have failed or when the
mask_password did not mask passwords properly.

References:
https://launchpad.net/bugs/1343604
https://launchpad.net/bugs/1345233

Thanks in advance,

-- 
Tristan Cacqueray
OpenStack Vulnerability Management Team

Attachment: signature.asc
Description: OpenPGP digital signature