CVE-2014-1948: OpenStack Glance sensitive information disclosure via logs

May 17, 2022 (updated May 14, 2024)

OpenStack Image Registry and Delivery Service (Glance) 2013.2 through 2013.2.1 and Icehouse before icehouse-2 logs a URL containing the Swift store backend password when authentication fails and WARNING level logging is enabled, which allows local users to obtain sensitive information by reading the log.

References

bugs.launchpad.net/glance/+bug/1275062
github.com/advisories/GHSA-4xw6-hj5p-4j79
github.com/openstack/glance
github.com/openstack/glance/commit/108f0e04ad2ed3dc287f1b71b987a7e9d66072ba
github.com/openstack/glance/commit/f6e41e9c0ff3aa9ee57b8c8ed8c789f1aff019bc
nvd.nist.gov/vuln/detail/CVE-2014-1948

Detect and mitigate CVE-2014-1948 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →