oslo-incubator

  1. Bug #1377981
  2. Comment #1

Comment 1 for bug 1377981

Revision history for this message
Tristan Cacqueray (tristan-cacqueray) wrote : Re: Missing fix for ssh_execute (Exceptions thrown may contain passwords)

Here is the updated impact description.

Title: Potential leak of passwords into log files
Reporter: Amrith Kumar (Tesora)
Products: Cinder and Nova (versions up to 2014.1.3)
                    Trove (versions up to 2014.1.2)

Description:
Amrith Kumar from Tesora reported two vulnerabilities in the processutils.execute() and strutils.mask_password() functions available from oslo-incubator that are copied into each project's code. An attacker with read access to the services' logs may obtain passwords used as a parameter of a command that have failed or when the mask_password did not mask passwords properly.