[OSSA 2016-002] xenapi: volume_utils._parse_volume_info can leak connection password via StorageError (CVE-2015-8749)
Bug #1516765 reported by
Matt Riedemann
This bug affects 1 person
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Compute (nova) |
Fix Released
|
High
|
Matt Riedemann | ||
Juno |
Won't Fix
|
Undecided
|
Unassigned | ||
Kilo |
Fix Released
|
High
|
Tony Breeds | ||
Liberty |
Fix Released
|
High
|
Matt Riedemann | ||
Mitaka |
Fix Released
|
High
|
Matt Riedemann | ||
OpenStack Security Advisory |
Fix Released
|
Undecided
|
Unassigned |
Bug Description
This code dumps the connection_info dict into the StorageError message:
https:/
As can be seen a few lines later, auth_password can be in that dict:
https:/
So the password would be leaked into the error message that's raised up. This could eventually get back to the logs or a user if not handled properly.
CVE References
tags: | added: kilo-backport-potential liberty-backport-potential |
tags: | added: juno-backport-potential |
tags: | removed: juno-backport-potential |
Changed in nova: | |
status: | Fix Committed → Fix Released |
information type: | Public → Public Security |
summary: |
xenapi: volume_utils._parse_volume_info can leak connection password via - StorageError + StorageError (CVE-2015-8749) |
Changed in ossa: | |
status: | Triaged → In Progress |
Changed in ossa: | |
status: | In Progress → Fix Released |
tags: |
added: in-stable-kilo removed: kilo-backport-potential liberty-backport-potential |
summary: |
- xenapi: volume_utils._parse_volume_info can leak connection password via - StorageError (CVE-2015-8749) + [OSSA 2016-002] xenapi: volume_utils._parse_volume_info can leak + connection password via StorageError (CVE-2015-8749) |
To post a comment you must log in.
See related bug 1321785 for obfuscating the block device mapping connection_info dict.