|
Message-Id: <20150504165511.4E92A6C005F@smtpvmsrv1.mitre.org> Date: Mon, 4 May 2015 12:55:11 -0400 (EDT) From: cve-assign@...re.org To: tristan.cacqueray@...vance.com Cc: cve-assign@...re.org, oss-security@...ts.openwall.com Subject: Re: CVE request for vulnerability in OpenStack Keystone -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 > Title: Potential Keystone cache backend password leak in log > Affects: versions through 2014.1.4, and 2014.2 versions through 2014.2.3 > The > backend_argument configuration option content is being logged, and it > may contain sensitive information for specific backends (like a password > for MongoDB). An attacker with read access to Keystone logs may > therefore obtain sensitive data > https://launchpad.net/bugs/1443598 > there are other backends provided by dogpile that support > authentication through "arguments" (which keystone exposes as > "backend_arguments"): > In addition, custom cache backend implementations could also utilize > backend_arguments. All of those would be affected as well. Use CVE-2015-3646. - -- CVE assignment team, MITRE CVE Numbering Authority M/S M300 202 Burlington Road, Bedford, MA 01730 USA [ PGP key available through http://cve.mitre.org/cve/request_id.html ] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.14 (SunOS) iQEcBAEBAgAGBQJVR6IJAAoJEKllVAevmvms/qkH/3xbAcGsfGXCxlscmRmfInDR 3LoP1RjtJrn3NSYhUTBj8dNXT5qnD0W7uf2WtUh5l1nRQ4O1qWJvMGizNTHZVtfi dkONWWk33bYg8nNwmlrS1Famy4i7i7yCFRbcpOTaYXad668dzSp0xLq4gcrTlR2A uXySvJ/ohW8fSzbAtD6yh03JEB6iZ5yV1aYYJHiLc+DIq7ptymOEQ4DRbUqb8EAT WL12gOTrL/cAPZsX/s5REnEJ10gYwif7Bpl3lRKELLK4tCPw2mIcZHfih+0HJCw3 ntqJg1T8KEYUkgrWnoiQOig1lPQBq2UeFdPB+eYvpPShJHLjqtwEum1XDlkR1fI= =/tHl -----END PGP SIGNATURE-----
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.