Date: Mon, 29 Sep 2014 17:04:50 -0400 From: Tristan Cacqueray <tristan.cacqueray@...vance.com> To: oss-security@...ts.openwall.com Subject: CVE request for vulnerability in OpenStack Cinder, Nova and Trove A vulnerability was discovered in OpenStack (see below). In order to ensure full traceability, we need a CVE number assigned that we can attach to further notifications. This issue is already public, although an advisory was not sent yet. Title: Potential leak of passwords into log files Reporter: Amrith Kumar (Tesora) Products: Cinder, Nova, Trove Versions: up to 2013.2.3, 2014.1 versions up to 2014.1.2 Description: Amrith Kumar from Tesora reported two vulnerabilities in the processutils.execute() and strutils.mask_password() functions available from oslo-incubator that are copied into each project's code. An attacker with read access to the services' logs may obtain passwords used as a parameter of a command that have failed or when the mask_password did not mask passwords properly. References: https://launchpad.net/bugs/1343604 https://launchpad.net/bugs/1345233 Thanks in advance, -- Tristan Cacqueray OpenStack Vulnerability Management Team Download attachment "signature.asc" of type "application/pgp-signature" (474 bytes)
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.