oss-sec mailing list archives
CVE request for vulnerability in OpenStack Glance
From: Jeremy Stanley <jeremy () openstack org>
Date: Wed, 12 Feb 2014 04:53:42 +0000
A vulnerability was discovered in OpenStack (see below). In order to ensure full traceability, we need a CVE number assigned that we can attach to further notifications. This issue is already public, although an advisory was not sent yet. Title: Glance Swift store backend password leak Reporter: Nikhil Komawar (Rackspace) Products: Glance Versions: 2013.2 versions up to 2013.2.1 Description: Nikhil Komawar from Rackspace reported an information leak in Glance logs. The password for the Swift store backend is logged at WARNING level as part of the URL when authentication to a store fails if image location is not disabled by policy or the store is a single-tenant configuration. An attacker with access to the logs (local shell, log aggregation system access, or accidental leak) may leverage this vulnerability to elevate privileges and gain direct full access to the Glance Swift store backend. Only Glance setups using the Swift store backend are affected. References: https://launchpad.net/bugs/1275062 Thanks in advance, -- Jeremy Stanley OpenStack Vulnerability Management Team
Attachment:
signature.asc
Description: Digital signature
Current thread:
- CVE request for vulnerability in OpenStack Glance Jeremy Stanley (Feb 11)
- Re: CVE request for vulnerability in OpenStack Glance cve-assign (Feb 12)