CVE-2014-7231 : The strutils.mask_password function in the OpenStack Oslo utility library, Cinder, Nova, and Trove before 2013.2.4 and 2

The strutils.mask_password function in the OpenStack Oslo utility library, Cinder, Nova, and Trove before 2013.2.4 and 2014.1 before 2014.1.3 does not properly mask passwords when logging commands, which allows local users to obtain passwords by reading the log.

Published 2014-10-08 19:55:05

Updated 2018-11-16 15:28:56

Source MITRE

View at NVD, CVE.org

Vulnerability category: Information leak

Exploit prediction scoring system (EPSS) score for CVE-2014-7231

Probability of exploitation activity in the next 30 days: 0.04%

Percentile, the proportion of vulnerabilities that are scored at or less: ~ 6 % EPSS Score History EPSS FAQ

CVSS scores for CVE-2014-7231

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source
2.1	LOW	AV:L/AC:L/Au:N/C:P/I:N/A:N	3.9	2.9	NIST
Access Vector: Local Access Complexity: Low Authentication: None Confidentiality Impact: Partial Integrity Impact: None Availability Impact: None

CWE ids for CVE-2014-7231

CWE-200 Exposure of Sensitive Information to an Unauthorized Actor

The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.

Assigned by: nvd@nist.gov (Primary)

References for CVE-2014-7231

http://seclists.org/oss-sec/2014/q3/853

Mailing List;Third Party Advisory

CVEs referencing this url
http://www.securityfocus.com/bid/70184

OpenStack Cinder/Nova/Trove CVE-2014-7231 Local Password Disclosure Vulnerability
Third Party Advisory;VDB Entry
http://rhn.redhat.com/errata/RHSA-2014-1939.html

RHSA-2014:1939 - Security Advisory - Red Hat Customer Portal
Third Party Advisory

CVEs referencing this url
https://bugs.launchpad.net/oslo.utils/+bug/1345233

Bug #1345233 “Make the checks in strutils.mask_password more sec...” : Bugs : oslo.utils
Exploit;Third Party Advisory
https://exchange.xforce.ibmcloud.com/vulnerabilities/96726

OpenStack Cinder, Nova, and Trove strutils.mask_password() information disclosure CVE-2014-7231 Vulnerability Report
Third Party Advisory;VDB Entry

Products affected by CVE-2014-7231

Redhat » Openstack » Version: 5.0
cpe:2.3:a:redhat:openstack:5.0:*:*:*:*:*:*:*
Matching versions
Openstack » Nova
Versions from including (>=) 2014.1 and before (<) 2014.1.3
cpe:2.3:a:openstack:nova:*:*:*:*:*:*:*:*
Matching versions
Openstack » Nova
Versions from including (>=) 2013.2 and before (<) 2013.2.4
cpe:2.3:a:openstack:nova:*:*:*:*:*:*:*:*
Matching versions
Openstack » Cinder
Versions from including (>=) 2014.1 and before (<) 2014.1.3
cpe:2.3:a:openstack:cinder:*:*:*:*:*:*:*:*
Matching versions
Openstack » Cinder
Versions from including (>=) 2013.2 and before (<) 2013.2.4
cpe:2.3:a:openstack:cinder:*:*:*:*:*:*:*:*
Matching versions
Openstack » Trove
Versions from including (>=) 2014.1 and before (<) 2014.1.3
cpe:2.3:a:openstack:trove:*:*:*:*:*:*:*:*
Matching versions
Openstack » Trove
Versions from including (>=) 2013.2 and before (<) 2013.2.4
cpe:2.3:a:openstack:trove:*:*:*:*:*:*:*:*
Matching versions

Vulnerability Details : CVE-2014-7231

Exploit prediction scoring system (EPSS) score for CVE-2014-7231

CVSS scores for CVE-2014-7231

CWE ids for CVE-2014-7231

References for CVE-2014-7231

Products affected by CVE-2014-7231