PT-2014-4378 · Openstack · Openstack Image Registry/Delivery Service
Nikhil Komawar
+1
·
Published
2014-02-14
·
Updated
2022-05-17
·
CVE-2014-1948
CVSS v4.0
5.1
Medium
| Vector | AV:L/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N |
Name of the Vulnerable Software and Affected Versions
OpenStack Image Registry and Delivery Service (Glance) versions 2013.2 through 2013.2.1
OpenStack Image Registry and Delivery Service (Glance) Icehouse before icehouse-2
Description
The issue allows local users to obtain sensitive information by reading the log when authentication fails and WARNING level logging is enabled. This is because the log contains a URL with the Swift store backend password.
Recommendations
For OpenStack Image Registry and Delivery Service (Glance) versions 2013.2 through 2013.2.1, consider disabling WARNING level logging until a patch is available.
For OpenStack Image Registry and Delivery Service (Glance) Icehouse before icehouse-2, consider disabling WARNING level logging until a patch is available.
As a temporary workaround, restrict access to the log files to minimize the risk of exploitation.
Fix
Insertion into Log File
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Openstack Image Registry/Delivery Service