PT-2018-7122 · Openstack+1 · Python-Oslo-Middleware+1

Divya K Konoor

Published

2017-03-29

Updated

2019-10-09

CVE-2017-2592

CVSS v4.0

7.1

High

Vector

AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Name of the Vulnerable Software and Affected Versions: python-oslo-middleware versions prior to 3.8.1, 3.19.1, 3.23.1

Description: The issue allows system users to obtain sensitive information from OpenStack component error logs, such as keystone tokens, by exploiting a flaw in the CatchError class. This class could include sensitive values in a traceback's error message, leading to an information disclosure.

Recommendations: For versions prior to 3.8.1, update to version 3.8.1 or later. For versions prior to 3.19.1, update to version 3.19.1 or later. For versions prior to 3.23.1, update to version 3.23.1 or later.

Fix

Insertion into Log File

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-532

Related Identifiers

CVE-2017-2592

GHSA-XCP8-HH74-F6MC

PYSEC-2018-104

RHSA-2017:0300

RHSA-2017:0435

SUSE-SU-2017:0848-1

SUSE-SU-2017:1062-1

SUSE-SU-2018:3924-1

USN-3666-1

Affected Products

Ubuntu

Python-Oslo-Middleware

PT-2018-7122 · Openstack+1 · Python-Oslo-Middleware+1

CVE-2017-2592

Weakness Enumeration

Related Identifiers

Affected Products

References · 37