OSSA-2020-001: Nova can leak consoleauth token into log files

Date:

February 19, 2020

CVE:

CVE-2015-9543

Affects

  • Nova: <18.2.4,>=19.0.0<19.1.0,>=20.0.0<20.1.0

Description

Paul Carlton from HP reported a vulnerability in Nova. An attacker with read access to the service’s logs may obtain tokens used for console access. All Nova setups using novncproxy are affected.

Patches

Credits

  • Paul Carlton from HP (CVE-2015-9543)

References

Notes

  • The stable/queens branch is under extended maintenance and will receive no new point releases, but a patch for it is provided as a courtesy.