GitHub Advisory DatabaseGHSA-C36R-G737-9QP8OpenStack Nova Potential Xen connection password leak via StorageError
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:M/Au:N/C:P/I:N/A:N
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
AI Score
Confidence
Low
EPSS
Percentile
71.7%
The volume_utils._parse_volume_info function in OpenStack Compute (Nova) before 2015.1.3 (kilo) and 12.0.x before 12.0.1 (liberty) includes the connection_info dictionary in the StorageError message when using the Xen backend, which might allow attackers to obtain sensitive password information by reading log files or other unspecified vectors.
Affected configurations
References
www.openwall.com/lists/oss-security/2016/01/07/8
www.openwall.com/lists/oss-security/2016/01/07/9
www.securityfocus.com/bid/80189
bugs.launchpad.net/nova/+bug/1516765
github.com/advisories/GHSA-c36r-g737-9qp8
github.com/openstack/nova/commit/8b289237ed6d53738c22878decf0c429301cf3d0
github.com/openstack/nova/commit/b2acc9fa864b6fe10bc0c5f3786b976b472b1b27
github.com/openstack/nova/commit/cf197ec2d682fb4da777df2291ca7ef101f73b77
github.com/openstack/nova/commit/ef1ccdaca9512b88878155f7d8c2c77853d91252
nvd.nist.gov/vuln/detail/CVE-2015-8749
security.openstack.org/ossa/OSSA-2016-002.html
Related
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:M/Au:N/C:P/I:N/A:N
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
AI Score
Confidence
Low
EPSS
Percentile
71.7%