5.9

CVE-2017-2592

python-oslo-middleware before versions 3.8.1, 3.19.1, 3.23.1 is vulnerable to an information disclosure. Software using the CatchError class could include sensitive values in a traceback's error message. System users could exploit this flaw to obtain sensitive information from OpenStack component error logs (for example, keystone tokens).

Data is provided by the National Vulnerability Database (NVD)
OpenstackOslo.Middleware Version <= 3.8.0
OpenstackOslo.Middleware Version >= 3.9.0 <= 3.19.0
OpenstackOslo.Middleware Version >= 3.20.0 <= 3.23.0
CanonicalUbuntu Linux Version16.04 SwEditionlts
Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.
EPSS Metriken
Type Source Score Percentile
EPSS FIRST.org 0.1% 0.241
CVSS Metriken
Source Base Score Exploit Score Impact Score Vector string
nvd@nist.gov 5.5 1.8 3.6
CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
nvd@nist.gov 2.1 3.9 2.9
AV:L/AC:L/Au:N/C:P/I:N/A:N
secalert@redhat.com 5.9 1.5 4
CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:N/A:N
CWE-532 Insertion of Sensitive Information into Log File

The product writes sensitive information to a log file.

http://www.securityfocus.com/bid/95827
Third Party Advisory
VDB Entry
https://bugs.launchpad.net/keystonemiddleware/+bug/1628031
Patch
Third Party Advisory
Issue Tracking
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-2592
Patch
Third Party Advisory
Issue Tracking
https://review.openstack.org/#/c/425730/
Patch
Vendor Advisory
Issue Tracking
https://review.openstack.org/#/c/425732/
Patch
Vendor Advisory
Issue Tracking
https://review.openstack.org/#/c/425734/
Patch
Vendor Advisory
Issue Tracking
https://usn.ubuntu.com/3666-1/
Third Party Advisory