61 lines
1.5 KiB
YAML
61 lines
1.5 KiB
YAML
date: 2014-02-12
|
|
|
|
id: OSSA-2014-004
|
|
|
|
title: 'Glance Swift store backend password leak'
|
|
|
|
description: 'Nikhil Komawar from Rackspace reported an information leak in Glance
|
|
logs. The password for the Swift store backend is logged at WARNING level as part
|
|
of the URL when authentication to a store fails if image location is not disabled
|
|
by policy or the store is a single-tenant configuration. An attacker with access
|
|
to the logs (local shell, log aggregation system access, or accidental leak) may
|
|
leverage this vulnerability to elevate privileges and gain direct full access to
|
|
the Glance Swift store backend. Only Glance setups using the Swift store backend
|
|
are affected.'
|
|
|
|
reference: http://lists.openstack.org/pipermail/openstack-announce/2014-February/000194.html
|
|
|
|
affected-products:
|
|
|
|
- product: glance
|
|
version: 2013.2 versions up to 2013.2.1
|
|
|
|
vulnerabilities:
|
|
|
|
- cve-id: CVE-2014-1948
|
|
impact-assessment:
|
|
source: 'Red Hat Product Security'
|
|
rating: moderate
|
|
assessment:
|
|
type: CVSS2
|
|
score: 3.3
|
|
detail: AV:L/AC:M/Au:N/C:P/I:P/A:N
|
|
classification:
|
|
source: 'Red Hat Product Security'
|
|
type: CWE
|
|
detail: TODO
|
|
|
|
reporters:
|
|
|
|
- name: 'Nikhil Komawar'
|
|
affiliation: Rackspace
|
|
reported:
|
|
- CVE-2014-1948
|
|
|
|
issues:
|
|
|
|
links:
|
|
- https://launchpad.net/bugs/1275062
|
|
|
|
type: launchpad
|
|
|
|
reviews:
|
|
|
|
icehouse:
|
|
- https://review.openstack.org/#/c/71419
|
|
|
|
havana:
|
|
- https://review.openstack.org/#/c/72473
|
|
|
|
type: gerrit
|