CVE-2013-6384
Published: 23 November 2013
(1) impl_db2.py and (2) impl_mongodb.py in OpenStack Ceilometer 2013.2 and earlier, when the logging level is set to INFO, logs the connection string from ceilometer.conf, which allows local users to obtain sensitive information (the DB2 or MongoDB password) by reading the log file.
Notes
Author | Note |
---|---|
jdstrand | Ubuntu 13.10 is affected. /var/log/ceilometer is 0755 |
Priority
Status
Package | Release | Status |
---|---|---|
ceilometer Launchpad, Ubuntu, Debian |
lucid |
Does not exist
|
precise |
Does not exist
|
|
quantal |
Ignored
(end of life)
|
|
raring |
Ignored
(end of life)
|
|
saucy |
Not vulnerable
(2013.2.3-0ubuntu1)
|
|
trusty |
Does not exist
(trusty was not-affected)
|
|
upstream |
Needs triage
|
|
Patches: upstream: https://review.openstack.org/56396 |