CVE-2014-7230 – Trove: potential leak of passwords into log files
https://notcve.org/view.php?id=CVE-2014-7230
The processutils.execute function in OpenStack oslo-incubator, Cinder, Nova, and Trove before 2013.2.4 and 2014.1 before 2014.1.3 allows local users to obtain passwords from commands that cause a ProcessExecutionError by reading the log. La función processutils.execute en OpenStack oslo-incubator, Cinder, Nova, y Trove anterior a 2013.2.4 y 2014.1 anterior a 2014.1.3 permite a usuarios locales obtener contraseñas de comandos que causan un error de ejecución de proceso (ProcessExecutionError) mediante la lectura del registro. • http://rhn.redhat.com/errata/RHSA-2014-1939.html http://seclists.org/oss-sec/2014/q3/853 http://www.securityfocus.com/bid/70185 http://www.ubuntu.com/usn/USN-2405-1 https://bugs.launchpad.net/oslo-incubator/+bug/1343604 https://exchange.xforce.ibmcloud.com/vulnerabilities/96725 https://access.redhat.com/security/cve/CVE-2014-7230 https://bugzilla.redhat.com/show_bug.cgi?id=1147722 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-522: Insufficiently Protected Credentials •
CVE-2014-3641 – openstack-cinder: Cinder-volume host data leak to virtual machine instance
https://notcve.org/view.php?id=CVE-2014-3641
The (1) GlusterFS and (2) Linux Smbfs drivers in OpenStack Cinder before 2014.1.3 allows remote authenticated users to obtain file data from the Cinder-volume host by cloning and attaching a volume with a crafted qcow2 header. Los controladores (1) GlusterFS y (2) Linux Smbfs en OpenStack Cinder anterior a 2014.1.3 permiten a usuarios remotos autenticados obtener datos de ficheros del anfitrión Cinder-volume mediante el clonación y adjunto de un volumen con una cabecera qcow2 manipulada. • http://rhn.redhat.com/errata/RHSA-2014-1787.html http://rhn.redhat.com/errata/RHSA-2014-1788.html http://seclists.org/oss-sec/2014/q4/78 http://www.securityfocus.com/bid/70221 http://www.ubuntu.com/usn/USN-2405-1 https://bugs.launchpad.net/cinder/+bug/1350504 https://access.redhat.com/security/cve/CVE-2014-3641 https://bugzilla.redhat.com/show_bug.cgi?id=1141996 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVE-2014-7231 – Trove: potential leak of passwords into log files
https://notcve.org/view.php?id=CVE-2014-7231
The strutils.mask_password function in the OpenStack Oslo utility library, Cinder, Nova, and Trove before 2013.2.4 and 2014.1 before 2014.1.3 does not properly mask passwords when logging commands, which allows local users to obtain passwords by reading the log. La función strutils.mask_password en la libraría de utilidades de OpenStack Oslo, Cinder, Nova, y Trove anterior a 2013.2.4 y 2014.1 anterior a 2014.1.3 no enmasca debidamente contraseñas cuando registra comandos, lo que permite a usuarios locales obtener contraseñas mediante la lectura del registro. • http://rhn.redhat.com/errata/RHSA-2014-1939.html http://seclists.org/oss-sec/2014/q3/853 http://www.securityfocus.com/bid/70184 https://bugs.launchpad.net/oslo.utils/+bug/1345233 https://exchange.xforce.ibmcloud.com/vulnerabilities/96726 https://access.redhat.com/security/cve/CVE-2014-7231 https://bugzilla.redhat.com/show_bug.cgi?id=1147722 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-522: Insufficiently Protected Credentials •