Comment 12 for bug 1516765
Revision history for this message
| Grant Murphy (gmurphy) wrote Re: xenapi: volume_utils._parse_volume_info can leak connection password via StorageError | #12 |
© 2004
Canonical Ltd.
•
Terms of use
•
Data privacy
•
Contact Launchpad Support
•
Blog
•
Careers
•
System status
•
35a32c5
(Get the code!)
Does this seem like a reasonable / correct impact description for this:
Title: Potential Xen connection password leak via StorageError
Reporter: Matt Riedemann (IBM)
Products: Nova
Affects: >= 2014.2 <= 2015.1.2, ==12.0.0
Description:
Mat Riedemann from IBM reported a information disclosure vulnerability
in Nova. If a StorageError occurs when attempting to connect a volume
using the Xen API, the connection parameters will be logged. These
parameters may include credentials which are not masked. An attacker
with read access to Nova logs could use these credentials with the
Xen API directly. Only Nova setups using the Xen backend are affected
by this flaw.