Show password feature should be configurable
Bug #1400872 reported by
Lin Hua Cheng
This bug affects 2 people
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| OpenStack Dashboard (Horizon) |
Fix Released
|
High
|
Cindy Lu | ||
| OpenStack Security Advisory |
Won't Fix
|
Undecided
|
Unassigned | ||
Bug Description
Horizon allows the password field to be displayed in plain text. This introduces a potential security risk. Imagine a user leaving their desktop unlock, if the user saved their password on the browser, a malicious user could go into the Login page and display the Openstack password.
The show password feature should be made configurable for operators who wants a more secure deployment of Horizon.
| information type: | Public → Public Security |
| Changed in horizon: | |
| status: | New → Confirmed |
| tags: | added: security |
| Changed in horizon: | |
| assignee: | nobody → Cindy Lu (clu-m) |
| Changed in horizon: | |
| importance: | Undecided → High |
Revision history for this message
| Jeremy Stanley (fungi) wrote | #1 |
| Changed in ossa: | |
| status: | New → Won't Fix |
| information type: | Public Security → Public |
Revision history for this message
| OpenStack Infra (hudson-openstack) wrote Fix proposed to horizon (master) | #2 |
| Changed in horizon: | |
| status: | Confirmed → In Progress |
Revision history for this message
| OpenStack Infra (hudson-openstack) wrote Fix merged to horizon (master) | #3 |
| Changed in horizon: | |
| status: | In Progress → Fix Committed |
| Changed in horizon: | |
| milestone: | none → kilo-2 |
| status: | Fix Committed → Fix Released |
| Changed in horizon: | |
| milestone: | kilo-2 → 2015.1.0 |
To post a comment you must log in.
Pretty sure this is a security hardening opportunity, not a vulnerability for which we would publish an advisory, and so I have classified it accordingly.