Launchpad.net

CVE 2015-8749

The volume_utils._parse_volume_info function in OpenStack Compute (Nova) before 2015.1.3 (kilo) and 12.0.x before 12.0.1 (liberty) includes the connection_info dictionary in the StorageError message when using the Xen backend, which might allow attackers to obtain sensitive password information by reading log files or other unspecified vectors.

Related bugs and status

CVE-2015-8749 (Candidate) is related to these bugs:

Bug #1516765: [OSSA 2016-002] xenapi: volume_utils._parse_volume_info can leak connection password via StorageError (CVE-2015-8749)

		In	Importance	Status
1516765	[OSSA 2016-002] xenapi: volume_utils._parse_volume_info can leak connection password via StorageError (CVE-2015-8749)	OpenStack Compute (nova)	High	Fix Released
1516765	[OSSA 2016-002] xenapi: volume_utils._parse_volume_info can leak connection password via StorageError (CVE-2015-8749)	OpenStack Security Advisory	Undecided	Fix Released
1516765	[OSSA 2016-002] xenapi: volume_utils._parse_volume_info can leak connection password via StorageError (CVE-2015-8749)	OpenStack Compute (nova) mitaka	High	Fix Released
1516765	[OSSA 2016-002] xenapi: volume_utils._parse_volume_info can leak connection password via StorageError (CVE-2015-8749)	OpenStack Compute (nova) juno	Undecided	Won't Fix
1516765	[OSSA 2016-002] xenapi: volume_utils._parse_volume_info can leak connection password via StorageError (CVE-2015-8749)	OpenStack Compute (nova) kilo	High	Fix Released
1516765	[OSSA 2016-002] xenapi: volume_utils._parse_volume_info can leak connection password via StorageError (CVE-2015-8749)	OpenStack Compute (nova) liberty	High	Fix Released

Bug #1572594: [OSSA 2016-002] xenapi: volume_utils._parse_volume_info can leak connection password via StorageError (CVE-2015-8749)

		In	Importance	Status
1572594	[OSSA 2016-002] xenapi: volume_utils._parse_volume_info can leak connection password via StorageError (CVE-2015-8749)	Mirantis OpenStack	High	Fix Released
1572594	[OSSA 2016-002] xenapi: volume_utils._parse_volume_info can leak connection password via StorageError (CVE-2015-8749)	Mirantis OpenStack 9.x	High	Fix Released
1572594	[OSSA 2016-002] xenapi: volume_utils._parse_volume_info can leak connection password via StorageError (CVE-2015-8749)	Mirantis OpenStack 8.0.x	High	Invalid
1572594	[OSSA 2016-002] xenapi: volume_utils._parse_volume_info can leak connection password via StorageError (CVE-2015-8749)	Mirantis OpenStack 7.0.x	High	Fix Released

See the

CVE page on Mitre.org for more details.

Launchpad.net

CVE 2015-8749

Related bugs and status

Related bugs

References