CVE-2014-7231

2014-10-0819:55:04

CWE-200

[email protected]

web.nvd.nist.gov

cve-2014-7231

openstack

oslo utility library

password masking

local users

log security

2.1 Low

CVSS2

Attack Vector

LOCAL

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:L/AC:L/Au:N/C:P/I:N/A:N

6.1 Medium

AI Score

Confidence

Low

0.0004 Low

EPSS

Percentile

5.1%

JSON

The strutils.mask_password function in the OpenStack Oslo utility library, Cinder, Nova, and Trove before 2013.2.4 and 2014.1 before 2014.1.3 does not properly mask passwords when logging commands, which allows local users to obtain passwords by reading the log.

Affected configurations

NVD

Node

openstackcinderRange2013.2–2013.2.4

openstackcinderRange2014.1–2014.1.3

openstacknovaRange2013.2–2013.2.4

openstacknovaRange2014.1–2014.1.3

openstacktroveRange2013.2–2013.2.4

openstacktroveRange2014.1–2014.1.3

Node

redhatopenstackMatch5.0

CPENameOperatorVersion
openstack:cinderopenstack cinderlt2013.2.4
openstack:cinderopenstack cinderlt2014.1.3
openstack:novaopenstack novalt2013.2.4
openstack:novaopenstack novalt2014.1.3
openstack:troveopenstack trovelt2013.2.4
openstack:troveopenstack trovelt2014.1.3

CPE	Name	Operator	Version
openstack:cinder	openstack cinder	lt	2013.2.4
openstack:cinder	openstack cinder	lt	2014.1.3
openstack:nova	openstack nova	lt	2013.2.4
openstack:nova	openstack nova	lt	2014.1.3
openstack:trove	openstack trove	lt	2013.2.4
openstack:trove	openstack trove	lt	2014.1.3