oss-sec mailing list archives
Re: CVE request for vulnerability in OpenStack Neutron, Ceilometer and pyCADF library
From: cve-assign () mitre org
Date: Tue, 24 Jun 2014 01:57:37 -0400 (EDT)
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Title: User token leak to message queue in pyCADF notifier middleware
a vulnerability in the notifier middleware available in the PyCADF library and formerly copied into Neutron and Ceilometer code. An attacker with read access to the message queue may obtain authentication tokens
auth token is exposed in meter http.request
notifier.py grabs all environment variables. it should probably filter out HTTP_X_AUTH_TOKEN
Use CVE-2014-4615. - -- CVE assignment team, MITRE CVE Numbering Authority M/S M300 202 Burlington Road, Bedford, MA 01730 USA [ PGP key available through http://cve.mitre.org/cve/request_id.html ] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.14 (SunOS) iQEcBAEBAgAGBQJTqRMTAAoJEKllVAevmvmswCgH/RsIZ4ZOHVcfDiZ09THuS4LC G/3KSY7PiZMfmpzHO0gR2R7A7NTo9crH0r2YV4SpPjXN7LiFa8viChQgZygNly+I HOUIEikNZk63JUJoyEjyorXmZpkBC539hvMtxK4gkTkchsHhyiV4CqxroNhlC4Pl QUn1pHfT2GfYuHDYX78Rp9gnfDo+eGnr0BgIN/v12k06k61e/4bIUykgTXWnkefc VnTKIs2ESE5WMNNfdpaKVrmBolLADnZweT+hGhOCki2fsVYoNmzpi+CJZadhDzI9 jtlqYfnkSdV+6ChEzsPcoVRqroZ9C3bddtDViXHKiPj8je9uF3zhXlOun0+XmMM= =iisx -----END PGP SIGNATURE-----
Current thread:
- CVE request for vulnerability in OpenStack Neutron, Ceilometer and pyCADF library Tristan Cacqueray (Jun 23)
- Re: CVE request for vulnerability in OpenStack Neutron, Ceilometer and pyCADF library cve-assign (Jun 23)