Description
The strutils.mask_password function in the OpenStack Oslo utility library, Cinder, Nova, and Trove before 2013.2.4 and 2014.1 before 2014.1.3 does not properly mask passwords when logging commands, which allows local users to obtain passwords by reading the log.
References (5)
Core 5
Core References
Mailing List, Third Party Advisory mailing-list
x_refsource_mlist
http://seclists.org/oss-sec/2014/q3/853
Third Party Advisory, VDB Entry vdb-entry
x_refsource_xf
https://exchange.xforce.ibmcloud.com/vulnerabilities/96726
Third Party Advisory vendor-advisory
x_refsource_redhat
http://rhn.redhat.com/errata/RHSA-2014-1939.html
Exploit, Third Party Advisory x_refsource_confirm
https://bugs.launchpad.net/oslo.utils/+bug/1345233
Third Party Advisory, VDB Entry vdb-entry
x_refsource_bid
http://www.securityfocus.com/bid/70184
Scores
EPSS
0.0016
EPSS Percentile
36.0%
Details
CWE
CWE-200
Status
published
Products (5)
openstack/cinder
2013.2 - 2013.2.4
openstack/nova
2013.2 - 2013.2.4
openstack/trove
2013.2 - 2013.2.4
pypi/oslo.utils
0 - 0.2.0PyPI
redhat/openstack
5.0
Published
Oct 08, 2014
Tracked Since
Feb 18, 2026