From 0b074f5c166f091fd0bd62cc4330047ba9dfb4c6 Mon Sep 17 00:00:00 2001 From: Jeremy Stanley Date: Thu, 26 Jan 2017 14:55:39 +0000 Subject: [PATCH] OSSA-2017-001 (CVE-2017-2592) CatchErrors leaks sensitive values in oslo.middleware Change-Id: I2a85e96f457e58cc7f2160d733bdc7b1fe8de3df Closes-Bug: #1628031 --- ossa/OSSA-2017-001.yaml | 37 +++++++++++++++++++++++++++++++++++++ 1 file changed, 37 insertions(+) create mode 100644 ossa/OSSA-2017-001.yaml diff --git a/ossa/OSSA-2017-001.yaml b/ossa/OSSA-2017-001.yaml new file mode 100644 index 0000000..036faeb --- /dev/null +++ b/ossa/OSSA-2017-001.yaml @@ -0,0 +1,37 @@ +date: 2017-01-26 + +id: OSSA-2017-001 + +title: CatchErrors leaks sensitive values in oslo.middleware + +description: > + Divya K Konoor with IBM reported a vulnerability in oslo.middleware. + Software using the CatchError class may include sensitive values in + the error message accompanying a Traceback, resulting in their + disclosure. For example, complete API requests (including keystone + tokens in their headers) may leak into neutron error logs. + +affected-products: + - product: oslo.middleware + version: "<=3.8.0, >=3.9.0 <=3.19.0, >=3.20.0 <=3.23.0" + +vulnerabilities: + - cve-id: CVE-2017-2592 + +reporters: + - name: Divya K Konoor + affiliation: IBM + reported: + - CVE-2017-2592 + +issues: + links: + - https://launchpad.net/bugs/1628031 + +reviews: + ocata: + - https://review.openstack.org/425730 + newton: + - https://review.openstack.org/425732 + mitaka: + - https://review.openstack.org/425734