CVE-2014-7231
Trove: potential leak of passwords into log files
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
1Exploited in Wild
-Decision
Descriptions
The strutils.mask_password function in the OpenStack Oslo utility library, Cinder, Nova, and Trove before 2013.2.4 and 2014.1 before 2014.1.3 does not properly mask passwords when logging commands, which allows local users to obtain passwords by reading the log.
La función strutils.mask_password en la libraría de utilidades de OpenStack Oslo, Cinder, Nova, y Trove anterior a 2013.2.4 y 2014.1 anterior a 2014.1.3 no enmasca debidamente contraseñas cuando registra comandos, lo que permite a usuarios locales obtener contraseñas mediante la lectura del registro.
OpenStack Database is Database as a Service for Openstack. It runs entirely on OpenStack, with the goal of allowing users to quickly and easily utilize the features of a database without the burden of handling complex administrative tasks. Cloud users and database administrators can provision and manage multiple database instances as needed. It was found that the processutils.execute() and strutils.mask_password() functions did not correctly sanitize the authentication details from their output before storing them in log files. This could allow an attacker with read access to these log files to obtain sensitive information such as passwords.
CVSS Scores
SSVC
- Decision:-
Timeline
- 2014-09-29 CVE Reserved
- 2014-10-08 CVE Published
- 2024-08-06 CVE Updated
- 2024-08-06 First Exploit
- 2025-03-31 EPSS Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
CWE
- CWE-200: Exposure of Sensitive Information to an Unauthorized Actor
- CWE-522: Insufficiently Protected Credentials
CAPEC
References (7)
| URL | Tag | Source |
|---|---|---|
| http://seclists.org/oss-sec/2014/q3/853 | Mailing List |
|
| http://www.securityfocus.com/bid/70184 | Third Party Advisory | |
| https://exchange.xforce.ibmcloud.com/vulnerabilities/96726 | Third Party Advisory |
| URL | Date | SRC |
|---|---|---|
| https://bugs.launchpad.net/oslo.utils/+bug/1345233 | 2024-08-06 |
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|---|---|
| http://rhn.redhat.com/errata/RHSA-2014-1939.html | 2018-11-16 | |
| https://access.redhat.com/security/cve/CVE-2014-7231 | 2014-12-02 | |
| https://bugzilla.redhat.com/show_bug.cgi?id=1147722 | 2014-12-02 |
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Openstack Search vendor "Openstack" | Cinder Search vendor "Openstack" for product "Cinder" | >= 2013.2 < 2013.2.4 Search vendor "Openstack" for product "Cinder" and version " >= 2013.2 < 2013.2.4" | - |
Affected
| ||||||
| Openstack Search vendor "Openstack" | Cinder Search vendor "Openstack" for product "Cinder" | >= 2014.1 < 2014.1.3 Search vendor "Openstack" for product "Cinder" and version " >= 2014.1 < 2014.1.3" | - |
Affected
| ||||||
| Openstack Search vendor "Openstack" | Nova Search vendor "Openstack" for product "Nova" | >= 2013.2 < 2013.2.4 Search vendor "Openstack" for product "Nova" and version " >= 2013.2 < 2013.2.4" | - |
Affected
| ||||||
| Openstack Search vendor "Openstack" | Nova Search vendor "Openstack" for product "Nova" | >= 2014.1 < 2014.1.3 Search vendor "Openstack" for product "Nova" and version " >= 2014.1 < 2014.1.3" | - |
Affected
| ||||||
| Openstack Search vendor "Openstack" | Trove Search vendor "Openstack" for product "Trove" | >= 2013.2 < 2013.2.4 Search vendor "Openstack" for product "Trove" and version " >= 2013.2 < 2013.2.4" | - |
Affected
| ||||||
| Openstack Search vendor "Openstack" | Trove Search vendor "Openstack" for product "Trove" | >= 2014.1 < 2014.1.3 Search vendor "Openstack" for product "Trove" and version " >= 2014.1 < 2014.1.3" | - |
Affected
| ||||||
| Redhat Search vendor "Redhat" | Openstack Search vendor "Redhat" for product "Openstack" | 5.0 Search vendor "Redhat" for product "Openstack" and version "5.0" | - |
Affected
| ||||||