OpenStack Glance sensitive information disclosure via logs

GHSA-4xw6-hj5p-4j79 · CVE-2014-1948 · PYSEC-2014-102

Published May 17, 2022 · Modified Nov 26, 2024

Description

OpenStack Image Registry and Delivery Service (Glance) 2013.2 through 2013.2.1 and Icehouse before icehouse-2 logs a URL containing the Swift store backend password when authentication fails and WARNING level logging is enabled, which allows local users to obtain sensitive information by reading the log.

References

ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2014-1948
WEB https://github.com/openstack/glance/commit/108f0e04ad2ed3dc287f1b71b987a7e9d66072ba
WEB https://github.com/openstack/glance/commit/f6e41e9c0ff3aa9ee57b8c8ed8c789f1aff019bc
WEB https://bugs.launchpad.net/glance/+bug/1275062
PACKAGE https://github.com/openstack/glance
WEB https://github.com/pypa/advisory-database/tree/main/vulns/glance/PYSEC-2014-102.yaml
WEB http://rhn.redhat.com/errata/RHSA-2014-0229.html
WEB http://www.openwall.com/lists/oss-security/2014/02/12/18

Ready to move

Start Securing

Start for Free Get Demo

Free, no credit card | First findings in minutes