OSSA-2020-001: Nova can leak consoleauth token into log files

OSSA-2020-001: Nova can leak consoleauth token into log files¶

Date:: February 19, 2020
CVE:: CVE-2015-9543

Affects¶

Nova: <18.2.4,>=19.0.0<19.1.0,>=20.0.0<20.1.0

Description¶

Paul Carlton from HP reported a vulnerability in Nova. An attacker with read access to the service’s logs may obtain tokens used for console access. All Nova setups using novncproxy are affected.

Patches¶

https://review.opendev.org/707845 (Queens)
https://review.opendev.org/704255 (Rocky)
https://review.opendev.org/702181 (Stein)
https://review.opendev.org/696685 (Train)
https://review.opendev.org/220622 (Ussuri)

Credits¶

Paul Carlton from HP (CVE-2015-9543)

References¶

Notes¶

The stable/queens branch is under extended maintenance and will receive no new point releases, but a patch for it is provided as a courtesy.

this page last updated: 2024-03-18 15:52:07

Creative Commons Attribution 3.0 License

Except where otherwise noted, this document is licensed under Creative Commons Attribution 3.0 License. See all OpenStack Legal Documents.