CVE-2015-8749

low-risk
Published 2016-01-15

The volume_utils._parse_volume_info function in OpenStack Compute (Nova) before 2015.1.3 (kilo) and 12.0.x before 12.0.1 (liberty) includes the connection_info dictionary in the StorageError message when using the Xen backend, which might allow attackers to obtain sensitive password information by reading log files or other unspecified vectors.

Do I need to act?

-
0.94% chance of exploitation
EPSS score — low exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
5
CVSS 5.9/10 Medium
NETWORK / HIGH complexity

Affected Products (1)

Nova

Affected Vendors

Openstack

References (10)

Mailing List http://www.openwall.com/lists/oss-security/2016/01/07/8
Mailing List http://www.openwall.com/lists/oss-security/2016/01/07/9
Third Party Advisory http://www.securityfocus.com/bid/80189
Third Party Advisory https://bugs.launchpad.net/nova/+bug/1516765
Patch https://security.openstack.org/ossa/OSSA-2016-002.html
Mailing List http://www.openwall.com/lists/oss-security/2016/01/07/8
Mailing List http://www.openwall.com/lists/oss-security/2016/01/07/9
Third Party Advisory http://www.securityfocus.com/bid/80189
Third Party Advisory https://bugs.launchpad.net/nova/+bug/1516765
Patch https://security.openstack.org/ossa/OSSA-2016-002.html
26
/ 100
low-risk
Severity 18/34 · Moderate
Exploitability 3/34 · Minimal
Exposure 5/34 · Minimal