OpenStack shell print credentials by default in debug mode
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Glance Client |
Fix Released
|
Undecided
|
lvdongbing | ||
OpenStack Security Advisory |
Won't Fix
|
Undecided
|
Unassigned | ||
python-ceilometerclient |
Fix Released
|
Undecided
|
Zhikun Liu | ||
python-cinderclient |
Invalid
|
Undecided
|
lvdongbing | ||
python-heatclient |
Fix Released
|
Undecided
|
lvdongbing | ||
python-neutronclient |
Invalid
|
Undecided
|
Unassigned | ||
python-novaclient |
Fix Released
|
High
|
Qin Zhao |
Bug Description
OpenStack shell client prints credential information (user password and user token) by default in debug mode.
For example:
neutron --debug net-list
DEBUG: neutronclient.
DEBUG: neutronclient.
REQ: curl -i http://
Other components also has the credentials in debug mode.
This behavior exposes a vulnerability to print sensitive information by shell when user didn't expect so.
affects: | neutron → python-neutronclient |
Changed in python-neutronclient: | |
assignee: | nobody → Xu Han Peng (xuhanp) |
information type: | Private Security → Public |
summary: |
- neutronclient shell print credentials by default in debug mode + OpenStack shell print credentials by default in debug mode |
description: | updated |
no longer affects: | nova |
Changed in python-neutronclient: | |
assignee: | Feng Ju (jufeng) → Xu Han Peng (xuhanp) |
Changed in python-novaclient: | |
assignee: | nobody → Qin Zhao (zhaoqin) |
status: | New → In Progress |
Changed in python-heatclient: | |
assignee: | nobody → lvdongbing (dbcocle) |
Changed in python-cinderclient: | |
assignee: | nobody → lvdongbing (dbcocle) |
Changed in python-heatclient: | |
assignee: | lvdongbing (dbcocle) → nobody |
status: | New → Fix Committed |
Changed in python-glanceclient: | |
status: | New → Fix Committed |
Changed in python-heatclient: | |
assignee: | nobody → lvdongbing (dbcocle) |
Changed in python-glanceclient: | |
status: | Fix Committed → New |
Changed in python-heatclient: | |
status: | Fix Committed → New |
Changed in python-glanceclient: | |
assignee: | nobody → lvdongbing (dbcocle) |
Changed in python-glanceclient: | |
status: | New → In Progress |
Changed in python-heatclient: | |
status: | New → In Progress |
Changed in python-novaclient: | |
importance: | Undecided → High |
Changed in python-novaclient: | |
milestone: | none → 2.19.0 |
status: | Fix Committed → Fix Released |
Changed in python-heatclient: | |
status: | In Progress → Fix Released |
Changed in python-ceilometerclient: | |
status: | In Progress → Fix Released |
Hello,
thanks for the report, the OSSA task is set to Won't Fix because password leak in debug mode does not warrant an advisory.