CVE-2015-8749

CWE-200 — Information Exposure10 documents8 sources

Severity

5.9MEDIUM

EPSS

0.9%

top 23.72%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Openstack Nova

Timeline

PublishedJan 15

Latest updateMay 14

Description

The volume_utils._parse_volume_info function in OpenStack Compute (Nova) before 2015.1.3 (kilo) and 12.0.x before 12.0.1 (liberty) includes the connection_info dictionary in the StorageError message when using the Xen backend, which might allow attackers to obtain sensitive password information by reading log files or other unspecified vectors.

CVSS vector

CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:NExploitability: 2.2 | Impact: 3.6

Affected Packages3 packages

▶NVDopenstack/nova12.0.0 — 12.0.1+1

▶PyPInova12.0.0 — 12.0.1

▶Debiannova< 2:13.0.0~rc3-1+3

Patches

Patch: security.openstack.org ↗Patch: security.openstack.org ↗

🔴Vulnerability Details

OSV

OpenStack Nova Potential Xen connection password leak via StorageError↗2022-05-14

▶

GHSA

OpenStack Nova Potential Xen connection password leak via StorageError↗2022-05-14

▶

OSV

CVE-2015-8749: The volume_utils↗2016-01-15

▶

CVEList

CVE-2015-8749: The volume_utils↗2016-01-15

▶

📋Vendor Advisories

Ubuntu

OpenStack Nova vulnerabilities↗2017-10-11

▶

Red Hat

openstack-nova: Xen connection password leak in logs via StorageError↗2016-01-07

▶

Debian

CVE-2015-8749: nova - The volume_utils._parse_volume_info function in OpenStack Compute (Nova) before ...↗2015

▶

💬Community

Bugzilla

CVE-2015-8749 openstack-nova: Xen connection password leak in logs via StorageError↗2016-01-08

▶

Bugzilla

CVE-2015-8749 openstack-nova: Xen connection password leak in logs via StorageError [fedora-all]↗2016-01-08

▶