CVE-2017-2592

MEDIUM

Openstack Oslo.middleware < 3.8.0 - Log Information Exposure

Title source: rule
STIX 2.1

Description

python-oslo-middleware before versions 3.8.1, 3.19.1, 3.23.1 is vulnerable to an information disclosure. Software using the CatchError class could include sensitive values in a traceback's error message. System users could exploit this flaw to obtain sensitive information from OpenStack component error logs (for example, keystone tokens).

References (12)

Core 12
Core References
Issue Tracking, Patch, Vendor Advisory x_refsource_misc
https://review.openstack.org/#/c/425732/
Third Party Advisory vendor-advisory x_refsource_redhat
http://rhn.redhat.com/errata/RHSA-2017-0300.html
Third Party Advisory x_refsource_confirm
https://access.redhat.com/errata/RHSA-2017:0300
Third Party Advisory vendor-advisory x_refsource_redhat
http://rhn.redhat.com/errata/RHSA-2017-0435.html
Issue Tracking, Patch, Third Party Advisory x_refsource_confirm
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-2592
Third Party Advisory, VDB Entry vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/95827
Issue Tracking, Patch, Vendor Advisory x_refsource_misc
https://review.openstack.org/#/c/425730/
Issue Tracking, Patch, Vendor Advisory x_refsource_misc
https://review.openstack.org/#/c/425734/
Issue Tracking, Patch, Third Party Advisory x_refsource_misc
https://bugs.launchpad.net/keystonemiddleware/+bug/1628031
Third Party Advisory x_refsource_confirm
https://access.redhat.com/errata/RHSA-2017:0435
Third Party Advisory vendor-advisory x_refsource_ubuntu
https://usn.ubuntu.com/3666-1/

Scores

CVSS v3 5.9
EPSS 0.0009
EPSS Percentile 25.8%
Attack Vector LOCAL
CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:N/A:N

Details

CWE
CWE-532
Status published
Products (4)
canonical/ubuntu_linux 16.04
openstack/oslo.middleware < 3.8.0
pypi/oslo-middleware 3.9.0 - 3.19.1PyPI
pypi/oslo.middleware 3.9.0 - 3.19.1PyPI
Published May 08, 2018
Tracked Since Feb 18, 2026