CVE-2015-3646 — OpenStack Keystone Logs Passwords

Description

OpenStack Identity (Keystone) before 2014.1.5 and 2014.2.x before 2014.2.4 logs the backend_argument configuration option content, which allows remote authenticated users to obtain passwords and other sensitive backend information by reading the Keystone logs.

How to fix CVE-2015-3646

To remediate CVE-2015-3646, upgrade the affected package to a fixed version below.

Debian/keystone—upgrade to 2015.1.0-1 or later
PyPI/keystone—upgrade to 2014.1.5 or later

Is CVE-2015-3646 being exploited?

Low — EPSS is 0.2%, meaning exploitation activity has not been observed at scale.

Affected packages (2)

from 0, < 2015.1.0-1
>= 2011.3, < 2014.1.5

References (7)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2015-3646
ADVISORYsecurity-tracker.debian.org/tracker/CVE-2015-3646
PATCHgithub.com/openstack/keystone
WEBlists.openstack.org/pipermail/openstack-announce/2015-May/000356.html
WEB