Vulnerability Details : CVE-2015-9543
An issue was discovered in OpenStack Nova before 18.2.4, 19.x before 19.1.0, and 20.x before 20.1.0. It can leak consoleauth tokens into log files. An attacker with read access to the service's logs may obtain tokens used for console access. All Nova setups using novncproxy are affected. This is related to NovaProxyRequestHandlerBase.new_websocket_client in console/websocketproxy.py.
Vulnerability category: Information leak
Products affected by CVE-2015-9543
- cpe:2.3:a:openstack:nova:*:*:*:*:*:*:*:*
- cpe:2.3:a:openstack:nova:*:*:*:*:*:*:*:*
- cpe:2.3:a:openstack:nova:*:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2015-9543
0.05%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 12 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2015-9543
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
2.1
|
LOW | AV:L/AC:L/Au:N/C:P/I:N/A:N |
3.9
|
2.9
|
NIST | |
3.3
|
LOW | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N |
1.8
|
1.4
|
NIST |
CWE ids for CVE-2015-9543
-
The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.Assigned by: nvd@nist.gov (Primary)
References for CVE-2015-9543
-
https://review.opendev.org/220622
Change I5b8fa423: Mask the token used to allow access to consoles | review.opendev Code ReviewThird Party Advisory
-
https://launchpad.net/bugs/1492140
Bug #1492140 “[OSSA-2020-001] Nova can leak consoleauth token in...” : Bugs : OpenStack Compute (nova)Issue Tracking;Third Party Advisory
-
http://www.openwall.com/lists/oss-security/2020/02/19/2
oss-security - [OSSA-2020-001] Nova can leak consoleauth token into log files (CVE-2015-9543)Mailing List;Patch;Third Party Advisory
-
https://security.openstack.org/ossa/OSSA-2020-001.html
OpenStack Docs: OSSA-2020-001: Nova can leak consoleauth token into log filesPatch;Vendor Advisory
Jump to