CVE-2015-9543

LOW

Openstack Nova < 18.2.4 - Information Disclosure

Title source: rule

Description

An issue was discovered in OpenStack Nova before 18.2.4, 19.x before 19.1.0, and 20.x before 20.1.0. It can leak consoleauth tokens into log files. An attacker with read access to the service's logs may obtain tokens used for console access. All Nova setups using novncproxy are affected. This is related to NovaProxyRequestHandlerBase.new_websocket_client in console/websocketproxy.py.

References (4)

[Mailing List, Patch, Third Party Advisory] http://www.openwall.com/lists/oss-security/2020/02/19/2

[Issue Tracking, Third Party Advisory] https://launchpad.net/bugs/1492140

[Third Party Advisory] https://review.opendev.org/220622

[Patch, Vendor Advisory] https://security.openstack.org/ossa/OSSA-2020-001.html

Scores

CVSS v3 3.3

EPSS 0.0008

EPSS Percentile 24.0%

Attack Vector LOCAL

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Classification

CWE

CWE-200

Status published

Affected Products (2)

openstack/nova < 18.2.4

pypi/Nova < 18.2.4PyPI

Timeline

Published Feb 19, 2020

Tracked Since Feb 18, 2026