CVE-2015-8749

MEDIUM

OpenStack Nova 12.0.0 - Exposure of Sensitive Information in Xen Backend StorageError Message

Title source: llm

Description

The volume_utils._parse_volume_info function in OpenStack Compute (Nova) before 2015.1.3 (kilo) and 12.0.x before 12.0.1 (liberty) includes the connection_info dictionary in the StorageError message when using the Xen backend, which might allow attackers to obtain sensitive password information by reading log files or other unspecified vectors.

References (5)

Core 5

Core References

Mailing List, Third Party Advisory mailing-list x_refsource_mlist

http://www.openwall.com/lists/oss-security/2016/01/07/9

Third Party Advisory, VDB Entry vdb-entry x_refsource_bid

http://www.securityfocus.com/bid/80189

Patch, Vendor Advisory x_refsource_confirm

https://security.openstack.org/ossa/OSSA-2016-002.html

Third Party Advisory x_refsource_confirm

https://bugs.launchpad.net/nova/+bug/1516765

Mailing List, Third Party Advisory mailing-list x_refsource_mlist

http://www.openwall.com/lists/oss-security/2016/01/07/8

Scores

CVSS v3 5.9

EPSS 0.0094

EPSS Percentile 76.5%

Attack Vector NETWORK

CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

Details

CWE

CWE-200

Status published

Products (2)

openstack/nova 12.0.0 - 12.0.1

pypi/nova 12.0.0 - 12.0.1PyPI

Published Jan 15, 2016

Tracked Since Feb 18, 2026