Token Leakage

2019-01-1508:59:05

Veracode Vulnerability Database

sca.analysiscenter.veracode.com

5 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:L/Au:N/C:P/I:N/A:N

JSON

OpenStack Telemetry (ceilometer) is vulnerable to token leakage. It does not escape authentication token used in REST requests (X_AUTH_TOKEN), allowing a malicious user having read access to massage queue to gain access to the token and to escalate the privileges.

CPENameOperatorVersion
openstack-ceilometereq2013.1__4.el6ost
openstack-ceilometereq2013.1__6.el6ost
openstack-ceilometereq2013.1.4__1.el6ost
openstack-ceilometereq2013.1.4__2.el6ost
openstack-ceilometereq2013.1.3__1.el6ost
openstack-ceilometereq2013.1.2__3.el6ost
openstack-ceilometereq2013.2.2__1.el6ost
openstack-ceilometereq2013.2.3__1.el6ost
openstack-ceilometereq2013.2.2__4.el6ost
openstack-ceilometereq2013.2.1__2.el6ost

Name	Operator	Version
openstack-ceilometer	eq	2013.1__4.el6ost
openstack-ceilometer	eq	2013.1__6.el6ost
openstack-ceilometer	eq	2013.1.4__1.el6ost
openstack-ceilometer	eq	2013.1.4__2.el6ost
openstack-ceilometer	eq	2013.1.3__1.el6ost
openstack-ceilometer	eq	2013.1.2__3.el6ost
openstack-ceilometer	eq	2013.2.2__1.el6ost
openstack-ceilometer	eq	2013.2.3__1.el6ost
openstack-ceilometer	eq	2013.2.2__4.el6ost
openstack-ceilometer	eq	2013.2.1__2.el6ost