Vulnerability Description
The volume_utils._parse_volume_info function in OpenStack Compute (Nova) before 2015.1.3 (kilo) and 12.0.x before 12.0.1 (liberty) includes the connection_info dictionary in the StorageError message when using the Xen backend, which might allow attackers to obtain sensitive password information by reading log files or other unspecified vectors.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Openstack | Nova | >= 12.0.0, < 12.0.1 |
Related Weaknesses (CWE)
References
- http://www.openwall.com/lists/oss-security/2016/01/07/8Mailing ListThird Party Advisory
- http://www.openwall.com/lists/oss-security/2016/01/07/9Mailing ListThird Party Advisory
- http://www.securityfocus.com/bid/80189Third Party AdvisoryVDB Entry
- https://bugs.launchpad.net/nova/+bug/1516765Third Party Advisory
- https://security.openstack.org/ossa/OSSA-2016-002.htmlPatchVendor Advisory
- http://www.openwall.com/lists/oss-security/2016/01/07/8Mailing ListThird Party Advisory
- http://www.openwall.com/lists/oss-security/2016/01/07/9Mailing ListThird Party Advisory
- http://www.securityfocus.com/bid/80189Third Party AdvisoryVDB Entry
- https://bugs.launchpad.net/nova/+bug/1516765Third Party Advisory
- https://security.openstack.org/ossa/OSSA-2016-002.htmlPatchVendor Advisory
FAQ
What is CVE-2015-8749?
CVE-2015-8749 is a vulnerability with a CVSS score of 5.9 (MEDIUM). The volume_utils._parse_volume_info function in OpenStack Compute (Nova) before 2015.1.3 (kilo) and 12.0.x before 12.0.1 (liberty) includes the connection_info dictionary in the StorageError message w...
How severe is CVE-2015-8749?
CVE-2015-8749 has been rated MEDIUM with a CVSS base score of 5.9/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2015-8749?
Check the references section above for vendor advisories and patch information. Affected products include: Openstack Nova.