Description
(1) impl_db2.py and (2) impl_mongodb.py in OpenStack Ceilometer 2013.2 and earlier, when the logging level is set to INFO, logs the connection string from ceilometer.conf, which allows local users to obtain sensitive information (the DB2 or MongoDB password) by reading the log file.
References (3)
Core 3
Core References
Mailing List, Third Party Advisory mailing-list
x_refsource_mlist
http://www.openwall.com/lists/oss-security/2013/11/25/3
Exploit, Issue Tracking, Third Party Advisory x_refsource_confirm
https://bugs.launchpad.net/ceilometer/+bug/1244476
Mailing List, Third Party Advisory mailing-list
x_refsource_mlist
http://www.openwall.com/lists/oss-security/2013/11/22/3
Scores
EPSS
0.0006
EPSS Percentile
17.6%
Details
CWE
CWE-532
Status
published
Products (1)
openstack/ceilometer
2013.1 - 2013.2
Published
Nov 23, 2013
Tracked Since
Feb 18, 2026