Sensitive Information Exposure in OpenStack Identity by OpenStack Foundation
CVE-2015-3646

Currently unrated

Key Information:

Vendor: Openstack
Status: Keystone
Vendor: CVE Published:; 12 May 2015

Summary

OpenStack Identity (Keystone) prior to version 2014.1.5 and 2014.2.x prior to 2014.2.4 exhibits a vulnerability where the backend_argument configuration option content is logged. This flaw enables remote authenticated users to gain unauthorized access to sensitive information, including passwords, by reading log files. Organizations leveraging this service should ensure they upgrade to patched versions to mitigate the risk of information exposure.

References

http://lists.openstack.org/pipermail/openstack-announce/2...

mailing-listx_refsource_MLIST

http://www.securityfocus.com/bid/74456

vdb-entryx_refsource_BID

https://bugs.launchpad.net/keystone/+bug/1443598

x_refsource_CONFIRM

Timeline

Vulnerability published
May 12, 2015
Vulnerability Reserved
May 4, 2015