Paul Carlton

Name of the Vulnerable Software and Affected Versions: OpenStack Nova versions prior to 18.2.4 OpenStack Nova versions 19.x before 19.1.0 OpenStack Nova versions 20.x before 20.1.0 Description: The issue can leak consoleauth tokens into log files, allowing an attacker with read access to the service's logs to obtain tokens used for console access. All Nova setups using novncproxy are affected. This is related to the `NovaProxyRequestHandlerBase.new websocket client` function in `console/websocketproxy.py`. Recommendations: For OpenStack Nova versions prior to 18.2.4, update to version 18.2.4 or later. For OpenStack Nova versions 19.x before 19.1.0, update to version 19.1.0 or later. For OpenStack Nova versions 20.x before 20.1.0, update to version 20.1.0 or later. As a temporary workaround, consider restricting access to the log files to minimize the risk of exploitation.