Browse Source

OSSA-2017-001 (CVE-2017-2592)

CatchErrors leaks sensitive values in oslo.middleware

Change-Id: I2a85e96f457e58cc7f2160d733bdc7b1fe8de3df
Closes-Bug: #1628031
Jeremy Stanley 2 years ago
parent
commit
0b074f5c16
1 changed files with 37 additions and 0 deletions
  1. 37
    0
      ossa/OSSA-2017-001.yaml

+ 37
- 0
ossa/OSSA-2017-001.yaml View File

@@ -0,0 +1,37 @@
1
+date: 2017-01-26
2
+
3
+id: OSSA-2017-001
4
+
5
+title: CatchErrors leaks sensitive values in oslo.middleware
6
+
7
+description: >
8
+  Divya K Konoor with IBM reported a vulnerability in oslo.middleware.
9
+  Software using the CatchError class may include sensitive values in
10
+  the error message accompanying a Traceback, resulting in their
11
+  disclosure. For example, complete API requests (including keystone
12
+  tokens in their headers) may leak into neutron error logs.
13
+
14
+affected-products:
15
+  - product: oslo.middleware
16
+    version: "<=3.8.0, >=3.9.0 <=3.19.0, >=3.20.0 <=3.23.0"
17
+
18
+vulnerabilities:
19
+  - cve-id: CVE-2017-2592
20
+
21
+reporters:
22
+  - name: Divya K Konoor
23
+    affiliation: IBM
24
+    reported:
25
+      - CVE-2017-2592
26
+
27
+issues:
28
+  links:
29
+    - https://launchpad.net/bugs/1628031
30
+
31
+reviews:
32
+  ocata:
33
+    - https://review.openstack.org/425730
34
+  newton:
35
+    - https://review.openstack.org/425732
36
+  mitaka:
37
+    - https://review.openstack.org/425734

Loading…
Cancel
Save