GHSA-22jm-4hxw-35jf

Suggest an improvement
Source
https://github.com/advisories/GHSA-22jm-4hxw-35jf
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-22jm-4hxw-35jf/GHSA-22jm-4hxw-35jf.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-22jm-4hxw-35jf
Aliases
Published
2022-05-24T17:09:18Z
Modified
2024-05-09T16:26:50.964703Z
Severity
  • 3.3 (Low) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N CVSS Calculator
Summary
OpenStack Nova can leak consoleauth token into log files
Details

An issue was discovered in OpenStack Nova before 18.2.4, 19.x before 19.1.0, and 20.x before 20.1.0. It can leak consoleauth tokens into log files. An attacker with read access to the service's logs may obtain tokens used for console access. All Nova setups using novncproxy are affected. This is related to NovaProxyRequestHandlerBase.new_websocket_client in console/websocketproxy.py.

References

Affected packages

PyPI / nova

Package

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
18.2.4

Affected versions

15.*

15.1.5

16.*

16.1.6
16.1.7
16.1.8

17.*

17.0.7
17.0.8
17.0.9
17.0.10
17.0.11
17.0.12
17.0.13

18.*

18.0.2
18.0.3
18.1.0
18.2.0
18.2.1
18.2.2
18.2.3

PyPI / nova

Package

Affected ranges

Type
ECOSYSTEM
Events
Introduced
19.0.0
Fixed
19.1.0

Affected versions

19.*

19.0.0
19.0.1
19.0.2
19.0.3

PyPI / nova

Package

Affected ranges

Type
ECOSYSTEM
Events
Introduced
20.0.0
Fixed
20.1.0

Affected versions

20.*

20.0.0
20.0.1