96 lines
2.2 KiB
YAML
96 lines
2.2 KiB
YAML
date: 2014-10-15
|
|
|
|
id: OSSA-2014-036
|
|
|
|
title: 'Potential leak of passwords into log files'
|
|
|
|
description: "Amrith Kumar from Tesora reported two vulnerabilities in the
|
|
processutils.execute() and strutils.mask_password() functions available
|
|
from oslo-incubator that are copied into each project's code. An
|
|
attacker with read access to the services' logs may obtain passwords
|
|
used as a parameter of a command that has failed (CVE-2014-7230) or when
|
|
mask_password did not mask passwords properly (CVE-2014-7231). All
|
|
Cinder, Nova and Trove setups are affected."
|
|
|
|
|
|
reference: http://lists.openstack.org/pipermail/openstack-announce/2014-October/000294.html
|
|
|
|
affected-products:
|
|
|
|
- product: nova
|
|
version: up to 2014.1.3
|
|
|
|
- product: cinder
|
|
version: up to 2014.1.3
|
|
|
|
- product: trove
|
|
version: up to 2014.1.2
|
|
|
|
vulnerabilities:
|
|
|
|
- cve-id: CVE-2014-7230
|
|
impact-assessment:
|
|
source: 'Red Hat Product Security'
|
|
rating: low
|
|
assessment:
|
|
type: CVSS2
|
|
score: 2.1
|
|
detail: AV:L/AC:L/Au:N/C:P/I:N/A:N
|
|
classification:
|
|
source: 'Red Hat Product Security'
|
|
type: CWE
|
|
detail: CWE-533
|
|
|
|
- cve-id: CVE-2014-7231
|
|
impact-assessment:
|
|
source: 'Red Hat Product Security'
|
|
rating: low
|
|
assessment:
|
|
type: CVSS2
|
|
score: 2.1
|
|
detail: AV:L/AC:L/Au:N/C:P/I:N/A:N
|
|
classification:
|
|
source: 'Red Hat Product Security'
|
|
type: CWE
|
|
detail: CWE-533
|
|
|
|
|
|
reporters:
|
|
|
|
- name: 'Amrith Kumar'
|
|
affiliation: Tesora
|
|
reported:
|
|
- CVE-2014-7230
|
|
- CVE-2014-7231
|
|
|
|
issues:
|
|
|
|
links:
|
|
- https://launchpad.net/bugs/1377981
|
|
- https://launchpad.net/bugs/1343604
|
|
- https://launchpad.net/bugs/1345233
|
|
|
|
type: launchpad
|
|
|
|
reviews:
|
|
|
|
kilo:
|
|
- https://review.openstack.org/116927
|
|
- https://review.openstack.org/126052
|
|
- https://review.openstack.org/116982
|
|
- https://review.openstack.org/126047
|
|
- https://review.openstack.org/121417
|
|
|
|
juno:
|
|
- https://review.openstack.org/126594
|
|
- https://review.openstack.org/126592
|
|
|
|
icehouse:
|
|
- https://review.openstack.org/121382
|
|
- https://review.openstack.org/126665
|
|
- https://review.openstack.org/121096
|
|
- https://review.openstack.org/126699
|
|
- https://review.openstack.org/121416
|
|
|
|
type: gerrit
|