First published: Wed Oct 08 2014(Updated: )
The strutils.mask_password function in the OpenStack Oslo utility library, Cinder, Nova, and Trove before 2013.2.4 and 2014.1 before 2014.1.3 does not properly mask passwords when logging commands, which allows local users to obtain passwords by reading the log.
Credit: cve@mitre.org
Affected Software | Affected Version | How to fix |
---|---|---|
pip/oslo.utils | <0.2.0 | 0.2.0 |
Red Hat OpenStack Cinder | >=2013.2<2013.2.4 | |
Red Hat OpenStack Cinder | >=2014.1<2014.1.3 | |
OpenStack Nova | >=2013.2<2013.2.4 | |
OpenStack Nova | >=2014.1<2014.1.3 | |
OpenStack Trove | >=2013.2<2013.2.4 | |
OpenStack Trove | >=2014.1<2014.1.3 | |
redhat openstack | =5.0 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
CVE-2014-7231 is considered a medium severity vulnerability due to potential exposure of sensitive information.
To fix CVE-2014-7231, upgrade the OpenStack Oslo library to version 0.2.0 or later and update affected components to their respective fixed versions.
CVE-2014-7231 affects OpenStack components including Cinder, Nova, and Trove versions before 2013.2.4 and 2014.1 before 2014.1.3.
Yes, local users can exploit CVE-2014-7231 to obtain unmasked passwords from command logs.
Versions of oslo.utils earlier than 0.2.0 are vulnerable to CVE-2014-7231.