Information disclosure in Openstack Cinder

CVE-2014-7230

The processutils.execute function in OpenStack oslo-incubator, Cinder, Nova, and Trove before 2013.2.4 and 2014.1 before 2014.1.3 allows local users to obtain passwords from commands that cause a ProcessExecutionError by reading the log.

Vulnerability class: Information Disclosure

EPSS: 0.001 (31.0th percentile) — read the EPSS interpretation.

Affected products

Openstack Cinder
Openstack Nova
Openstack Trove
Canonical Ubuntu_linux — versions 14.04
Redhat Openstack — versions 5.0
N/a — versions n/a

Weakness classification (CWE)

CWE-200 — Information Disclosure

References

[oss-security] 20140929 Re: CVE request for vulnerability in OpenStack Cinder, Nova and Trove (mailing-list, x_refsource_MLIST, Mailing List, Third Party Advisory)
openstack-cinder-cve20147230-info-disc(96725) (Third Party Advisory, VDB Entry, vdb-entry, x_refsource_XF)
70185 (Third Party Advisory, VDB Entry, vdb-entry, x_refsource_BID)
cve@mitre.org (x_refsource_CONFIRM, Third Party Advisory)
RHSA-2014:1939 (x_refsource_REDHAT, vendor-advisory, Third Party Advisory)
USN-2405-1 (x_refsource_UBUNTU, vendor-advisory, Third Party Advisory)