CVE-2014-7231 : The strutils.mask_password function in the OpenStack Oslo utility library, Cinde

The strutils.mask_password function in the OpenStack Oslo utility library, Cinder, Nova, and Trove before 2013.2.4 and 2014.1 before 2014.1.3 does not properly mask passwords when logging commands, which allows local users to obtain passwords by reading the log.

Published 2014-10-08 19:55:05

Updated 2025-04-12 10:46:41

Source MITRE

View at NVD, CVE.org

Products affected by CVE-2014-7231

Redhat » Openstack » Version: 5.0
cpe:2.3:a:redhat:openstack:5.0:*:*:*:*:*:*:*
Matching versions
Openstack » Nova
Versions from including (>=) 2014.1 and before (<) 2014.1.3
cpe:2.3:a:openstack:nova:*:*:*:*:*:*:*:*
Matching versions
Openstack » Nova
Versions from including (>=) 2013.2 and before (<) 2013.2.4
cpe:2.3:a:openstack:nova:*:*:*:*:*:*:*:*
Matching versions
Openstack » Cinder
Versions from including (>=) 2014.1 and before (<) 2014.1.3
cpe:2.3:a:openstack:cinder:*:*:*:*:*:*:*:*
Matching versions
Openstack » Cinder
Versions from including (>=) 2013.2 and before (<) 2013.2.4
cpe:2.3:a:openstack:cinder:*:*:*:*:*:*:*:*
Matching versions
Openstack » Trove
Versions from including (>=) 2014.1 and before (<) 2014.1.3
cpe:2.3:a:openstack:trove:*:*:*:*:*:*:*:*
Matching versions
Openstack » Trove
Versions from including (>=) 2013.2 and before (<) 2013.2.4
cpe:2.3:a:openstack:trove:*:*:*:*:*:*:*:*
Matching versions

Exploit prediction scoring system (EPSS) score for CVE-2014-7231

EPSS FAQ

0.09%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 23 %

Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2014-7231

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source	First Seen
2.1	LOW	AV:L/AC:L/Au:N/C:P/I:N/A:N	3.9	2.9	NIST
Access Vector: Local Access Complexity: Low Authentication: None Confidentiality Impact: Partial Integrity Impact: None Availability Impact: None

CWE ids for CVE-2014-7231

CWE-200 Exposure of Sensitive Information to an Unauthorized Actor

The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.

Assigned by: nvd@nist.gov (Primary)

References for CVE-2014-7231

http://seclists.org/oss-sec/2014/q3/853

Mailing List;Third Party Advisory

CVEs referencing this url
http://www.securityfocus.com/bid/70184

OpenStack Cinder/Nova/Trove CVE-2014-7231 Local Password Disclosure Vulnerability
Third Party Advisory;VDB Entry
http://rhn.redhat.com/errata/RHSA-2014-1939.html

RHSA-2014:1939 - Security Advisory - Red Hat Customer Portal
Third Party Advisory

CVEs referencing this url
https://bugs.launchpad.net/oslo.utils/+bug/1345233

Bug #1345233 “Make the checks in strutils.mask_password more sec...” : Bugs : oslo.utils
Exploit;Third Party Advisory
https://exchange.xforce.ibmcloud.com/vulnerabilities/96726

OpenStack Cinder, Nova, and Trove strutils.mask_password() information disclosure CVE-2014-7231 Vulnerability Report
Third Party Advisory;VDB Entry

Jump to

Vulnerability Details : CVE-2014-7231

Products affected by CVE-2014-7231

Exploit prediction scoring system (EPSS) score for CVE-2014-7231

CVSS scores for CVE-2014-7231

CWE ids for CVE-2014-7231

References for CVE-2014-7231