Vulnerability Details : CVE-2014-7231
The strutils.mask_password function in the OpenStack Oslo utility library, Cinder, Nova, and Trove before 2013.2.4 and 2014.1 before 2014.1.3 does not properly mask passwords when logging commands, which allows local users to obtain passwords by reading the log.
Vulnerability category: Information leak
Exploit prediction scoring system (EPSS) score for CVE-2014-7231
Probability of exploitation activity in the next 30 days: 0.04%
Percentile, the proportion of vulnerabilities that are scored at or less: ~ 6 % EPSS Score History EPSS FAQ
CVSS scores for CVE-2014-7231
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source |
---|---|---|---|---|---|
2.1
|
LOW | AV:L/AC:L/Au:N/C:P/I:N/A:N |
3.9
|
2.9
|
NIST |
CWE ids for CVE-2014-7231
-
The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.Assigned by: nvd@nist.gov (Primary)
References for CVE-2014-7231
-
http://seclists.org/oss-sec/2014/q3/853
Mailing List;Third Party Advisory
-
http://www.securityfocus.com/bid/70184
OpenStack Cinder/Nova/Trove CVE-2014-7231 Local Password Disclosure VulnerabilityThird Party Advisory;VDB Entry
-
http://rhn.redhat.com/errata/RHSA-2014-1939.html
RHSA-2014:1939 - Security Advisory - Red Hat Customer PortalThird Party Advisory
-
https://bugs.launchpad.net/oslo.utils/+bug/1345233
Bug #1345233 “Make the checks in strutils.mask_password more sec...” : Bugs : oslo.utilsExploit;Third Party Advisory
-
https://exchange.xforce.ibmcloud.com/vulnerabilities/96726
OpenStack Cinder, Nova, and Trove strutils.mask_password() information disclosure CVE-2014-7231 Vulnerability ReportThird Party Advisory;VDB Entry
Products affected by CVE-2014-7231
- cpe:2.3:a:redhat:openstack:5.0:*:*:*:*:*:*:*
- cpe:2.3:a:openstack:nova:*:*:*:*:*:*:*:*
- cpe:2.3:a:openstack:nova:*:*:*:*:*:*:*:*
- cpe:2.3:a:openstack:cinder:*:*:*:*:*:*:*:*
- cpe:2.3:a:openstack:cinder:*:*:*:*:*:*:*:*
- cpe:2.3:a:openstack:trove:*:*:*:*:*:*:*:*
- cpe:2.3:a:openstack:trove:*:*:*:*:*:*:*:*