CVE-2014-1948
low
CVSS v3
—
CVSS v2
2.6
VIR risk
2.6
Description
OpenStack Image Registry and Delivery Service (Glance) 2013.2 through 2013.2.1 and Icehouse before icehouse-2 logs a URL containing the Swift store backend password when authentication fails and WARNING level logging is enabled, which allows local users to obtain sensitive information by reading the log.
Predictions
Exploit likelihood
20%
Patch ETA
—
Heuristic predictions, AS-IS, for prioritization only.
Mitigations
Vendor advisory: debian — https://security-tracker.debian.org/tracker/CVE-2014-1948
OS impact
| OS | Version | Status | Fixed in |
|---|---|---|---|
| debian | bookworm | fixed | 2013.2.2-1 |
| debian | bullseye | fixed | 2013.2.2-1 |
| debian | forky | fixed | 2013.2.2-1 |
| debian | sid | fixed | 2013.2.2-1 |
| debian | trixie | fixed | 2013.2.2-1 |
Package impact
| Ecosystem | Package | Vulnerable | Fixed |
|---|---|---|---|
| PyPI | glance | <11.0.0a0 | 11.0.0a0 |
Application impact
| Vendor | Product | Versions | Fixed |
|---|---|---|---|
| openstack | image_registry_and_delivery_service_\(glance\) | 2013.2 | |
| openstack | image_registry_and_delivery_service_\(glance\) | 2013.2.1 | |
References
- https://nvd.nist.gov/vuln/detail/CVE-2014-1948
- https://github.com/openstack/glance/commit/108f0e04ad2ed3dc287f1b71b987a7e9d66072ba
- https://github.com/openstack/glance/commit/f6e41e9c0ff3aa9ee57b8c8ed8c789f1aff019bc
- https://bugs.launchpad.net/glance/+bug/1275062
- https://github.com/openstack/glance
- https://github.com/pypa/advisory-database/tree/main/vulns/glance/PYSEC-2014-102.yaml
- http://rhn.redhat.com/errata/RHSA-2014-0229.html
- http://www.openwall.com/lists/oss-security/2014/02/12/18
- http://secunia.com/advisories/56419
- http://www.securityfocus.com/bid/65507
- https://security-tracker.debian.org/tracker/CVE-2014-1948
CWEs
CWE-255
Verify integrity in audit chain (admin only). AS-IS.