Comment 25 for bug 1321080
Revision history for this message
| Thierry Carrez (ttx) wrote Re: auth token is exposed in meter http.request | #25 |
© 2004
Canonical Ltd.
•
Terms of use
•
Data privacy
•
Contact Launchpad Support
•
Blog
•
Careers
•
System status
•
9199653
demo site
(Get the code!)
Adjusted tasks to match.
Here is how I would rewrite the advisory:
------
Title: User token leak to message queue in pyCADF notifier middleware
Reporter: Zhi Kun Liu (IBM)
Products: Neutron (2014.1 versions up to 2014.1.1)
pyCADF library (all versions up to 0.5.0)
Description:
Zhi Kun Liu from IBM reported a vulnerability in the notifier middleware available in the PyCADF library and formerly copied into Neutron and Ceilometer code. An attacker with read access to the message queue may obtain authentication tokens used in REST requests (X_AUTH_TOKEN) that goes through the notifier middleware. All services using the notifier middleware configured after the auth_token middleware pipeline are impacted.
------
NB: that would mean from now on we support PyCADF, but I think now would be a good time to start.