Thanks, taking the revised view of this vulnerability into account, here's a rewritten impact statement for use in the CVE request and subsequent security advisory publication (note that the fix to master was included in 14.4.0, its stable branch backports have not merged yet as of the time of writing):
title: Authentication tokens included in notification messages
reporters:
- name: Scott Solkhon
affiliation: G-Research
reported: 'CVE-TBD'
description: >
Scott Solkhon with G-Research reported a vulnerability in
oslo.messaging's notifier. Some service notifications may include
context with embedded authentication tokens, which become
serialized within the message revealing those credentials to
systems administrators who have access to copies of notifications,
potentially allowing them to impersonate the affected accounts.
Only deployments with notifications enabled using the AMQP or
Kafka drivers are affected.
Thanks, taking the revised view of this vulnerability into account, here's a rewritten impact statement for use in the CVE request and subsequent security advisory publication (note that the fix to master was included in 14.4.0, its stable branch backports have not merged yet as of the time of writing):
title: Authentication tokens included in notification messages
reporters:
- name: Scott Solkhon
affiliation: G-Research
reported: 'CVE-TBD'
affected-products:
- product: oslo.messaging
version: '<12.13.2, >=12.14.0 <14.0.2, >=14.1.0 <14.2.2, >=14.3.0 <14.4.0'
description: >
Scott Solkhon with G-Research reported a vulnerability in
oslo.messaging's notifier. Some service notifications may include
context with embedded authentication tokens, which become
serialized within the message revealing those credentials to
systems administrators who have access to copies of notifications,
potentially allowing them to impersonate the affected accounts.
Only deployments with notifications enabled using the AMQP or
Kafka drivers are affected.