#VU6848 Information disclosure in Openstack Nova
Vulnerability identifier: #VU6848
Vulnerability risk: Medium
CVSSv3.1: 6.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C]
CVE-ID:
CWE-ID:
CWE-200
Exploitation vector: Network
Exploit availability: No
Vulnerable software:
Openstack Nova
Client/Desktop applications /
Other client software
Vendor: Openstack
Description
The vulnerability allows a remote attacker to obtain potentially sensitive information on the target system.
The weakness exists due to an error in exception_wrapper.py. A remote attacker can cause an ERROR level logs and reveal legacy notification exception contexts that may include sensitive information such as account passwords and authorization tokens.
Successful exploitation of the vulnerability results in information disclosure.
Mitigation
Update to the latest version.
Vulnerable software versions
Openstack Nova: 13.0.0 - 15.0.1
External links
http://bugs.launchpad.net/nova/+bug/1673569
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
