Comment 22 for bug 2030976

Thanks, I agree that's a worthwhile distinction. After an overdue lunch I can see a few other spots worth polishing in my hastily-scrawled prose. How's this...

title: Authentication tokens included in notification messages

reporters:
  - name: Scott Solkhon
    affiliation: G-Research
    reported: 'CVE-TBD'
  - name: Dan Smith
    affiliation: Red Hat
    reported: 'CVE-TBD'

affected-products:
  - product: Ironic
    version: '<20.1.2, >=20.2.0 <21.1.1, >=21.2.0 <21.4.1'
  - product: Nova
    version: '<25.2.1, >=26.0.0 <26.2.1, >=27.0.0 <27.1.1'

description: >
  Scott Solkhon with G-Research and Dan Smith with Red Hat reported
  related vulnerabilities in Ironic and Nova. Some service
  notifications may unnecessarily embed serialized authentication
  tokens, revealing those credentials to systems administrators who
  have access to copies of notifications and allowing them to
  impersonate the affected accounts. Only deployments with
  notifications enabled using the AMQP or Kafka drivers are
  affected.