Consoleauth Token Leakage in OpenStack Nova by OpenStack
CVE-2015-9543

3.3LOW

Key Information:

Vendor
Openstack
Status
Nova
Vendor
CVE Published:
19 February 2020

Summary

A vulnerability in OpenStack Nova allows consoleauth tokens to be inadvertently written into log files. This issue is particularly problematic since an attacker with read access to service logs could potentially extract these tokens, gaining unauthorized console access to the Nova service. All installations of Nova utilizing the novncproxy functionality are impacted, specifically related to the NovaProxyRequestHandlerBase in the websocketproxy.py file.

References

https://launchpad.net/bugs/1492140
x_refsource_MISC
https://review.opendev.org/220622
x_refsource_MISC
https://security.openstack.org/ossa/OSSA-2020-001.html
x_refsource_CONFIRM

CVSS V3.1

Score:
3.3
Severity:
LOW
Confidentiality:
Low
Integrity:
None
Availability:
Low
Attack Vector:
Local
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.