Date: Mon, 04 May 2015 12:04:46 -0400 From: Tristan Cacqueray <tristan.cacqueray@...vance.com> To: oss-security@...ts.openwall.com CC: cve-assign@...re.org Subject: CVE request for vulnerability in OpenStack Keystone A vulnerability was discovered in OpenStack (see below). In order to ensure full traceability, we need a CVE number assigned that we can attach to further notifications. This issue is already public, although an advisory was not sent yet. Title: Potential Keystone cache backend password leak in log Reporter: Eric Brown (VMware) Products: Keystone Affects: versions through 2014.1.4, and 2014.2 versions through 2014.2.3 Description: Eric Brown from VMware reported a vulnerability in Keystone. The backend_argument configuration option content is being logged, and it may contain sensitive information for specific backends (like a password for MongoDB). An attacker with read access to Keystone logs may therefore obtain sensitive data about certain backends. All Keystone setups are potentially impacted. References: https://launchpad.net/bugs/1443598 Thanks in advance, -- Tristan Cacqueray OpenStack Vulnerability Management Team Download attachment "signature.asc" of type "application/pgp-signature" (474 bytes)
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ