oss-sec mailing list archives
CVE request for vulnerability in OpenStack Keystone
From: Tristan Cacqueray <tristan.cacqueray () enovance com>
Date: Mon, 04 May 2015 12:04:46 -0400
A vulnerability was discovered in OpenStack (see below). In order to ensure full traceability, we need a CVE number assigned that we can attach to further notifications. This issue is already public, although an advisory was not sent yet. Title: Potential Keystone cache backend password leak in log Reporter: Eric Brown (VMware) Products: Keystone Affects: versions through 2014.1.4, and 2014.2 versions through 2014.2.3 Description: Eric Brown from VMware reported a vulnerability in Keystone. The backend_argument configuration option content is being logged, and it may contain sensitive information for specific backends (like a password for MongoDB). An attacker with read access to Keystone logs may therefore obtain sensitive data about certain backends. All Keystone setups are potentially impacted. References: https://launchpad.net/bugs/1443598 Thanks in advance, -- Tristan Cacqueray OpenStack Vulnerability Management Team
Attachment:
signature.asc
Description: OpenPGP digital signature
Current thread:
- CVE request for vulnerability in OpenStack Keystone Tristan Cacqueray (May 04)
- Re: CVE request for vulnerability in OpenStack Keystone cve-assign (May 04)