Thanks, I agree that's a worthwhile distinction. After an overdue lunch I can see a few other spots worth polishing in my hastily-scrawled prose. How's this...
title: Authentication tokens included in notification messages
reporters:
- name: Scott Solkhon
affiliation: G-Research
reported: 'CVE-TBD'
- name: Dan Smith
affiliation: Red Hat
reported: 'CVE-TBD'
description: >
Scott Solkhon with G-Research and Dan Smith with Red Hat reported
related vulnerabilities in Ironic and Nova. Some service
notifications may unnecessarily embed serialized authentication
tokens, revealing those credentials to systems administrators who
have access to copies of notifications and allowing them to
impersonate the affected accounts. Only deployments with
notifications enabled using the AMQP or Kafka drivers are
affected.
Thanks, I agree that's a worthwhile distinction. After an overdue lunch I can see a few other spots worth polishing in my hastily-scrawled prose. How's this...
title: Authentication tokens included in notification messages
reporters:
- name: Scott Solkhon
affiliation: G-Research
reported: 'CVE-TBD'
- name: Dan Smith
affiliation: Red Hat
reported: 'CVE-TBD'
affected-products:
- product: Ironic
version: '<20.1.2, >=20.2.0 <21.1.1, >=21.2.0 <21.4.1'
- product: Nova
version: '<25.2.1, >=26.0.0 <26.2.1, >=27.0.0 <27.1.1'
description: >
Scott Solkhon with G-Research and Dan Smith with Red Hat reported
related vulnerabilities in Ironic and Nova. Some service
notifications may unnecessarily embed serialized authentication
tokens, revealing those credentials to systems administrators who
have access to copies of notifications and allowing them to
impersonate the affected accounts. Only deployments with
notifications enabled using the AMQP or Kafka drivers are
affected.