It looks like the backports are starting to get approved and merge now as well. Once they're all merged, I propose switching this bug to Public Security and following our lighter-weight our public report disclosure process from that point instead of continuing to maintain an embargo (the risk posed by this bug seems pretty minimal).
Proposed impact description:
Title: Nova logs sensitive context from notification exceptions
Reporter: Matt Riedemann (Huawei)
Products: Nova
Affects: >=13.0.0 <=13.1.3, >=14.0.0 <=14.0.4, >=15.0.0 <=15.0.1
Description:
Matt Riedemann with Huawei reported a vulnerability in Nova. Legacy notification exception contexts appearing in ERROR level logs may include sensitive information such as account passwords and authorization tokens. All Nova setups are affected.
It looks like the backports are starting to get approved and merge now as well. Once they're all merged, I propose switching this bug to Public Security and following our lighter-weight our public report disclosure process from that point instead of continuing to maintain an embargo (the risk posed by this bug seems pretty minimal).
Proposed impact description:
Title: Nova logs sensitive context from notification exceptions
Reporter: Matt Riedemann (Huawei)
Products: Nova
Affects: >=13.0.0 <=13.1.3, >=14.0.0 <=14.0.4, >=15.0.0 <=15.0.1
Description:
Matt Riedemann with Huawei reported a vulnerability in Nova. Legacy notification exception contexts appearing in ERROR level logs may include sensitive information such as account passwords and authorization tokens. All Nova setups are affected.