CVE-2014-7231 — OpenStack Oslo utility sensitive information exposure via log files

Description

The strutils.mask_password function in the OpenStack Oslo utility library, Cinder, Nova, and Trove before 2013.2.4 and 2014.1 before 2014.1.3 does not properly mask passwords when logging commands, which allows local users to obtain passwords by reading the log.

How to fix CVE-2014-7231

To remediate CVE-2014-7231, upgrade the affected package to a fixed version below.

Debian/python-oslo.utils—upgrade to 0.2.0-1 or later
PyPI/oslo-utils—upgrade to 0.2.0 or later

Is CVE-2014-7231 being exploited?

Low — EPSS is 0.2%, meaning exploitation activity has not been observed at scale.

Affected packages (2)

from 0, < 0.2.0-1
from 0, < 0.2.0

References (8)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2014-7231
ADVISORYsecurity-tracker.debian.org/tracker/CVE-2014-7231
PATCHgithub.com/openstack/oslo.utils
WEBrhn.redhat.com/errata/RHSA-2014-1939.html
WEB