CVE-2015-8749
OpenStack Nova Potential Xen connection password leak via StorageError
5.9
MEDIUM
CVSS 3.1
EPSS 0.94%
Description
The volume_utils._parse_volume_info function in OpenStack Compute (Nova) before 2015.1.3 (kilo) and 12.0.x before 12.0.1 (liberty) includes the connection_info dictionary in the StorageError message when using the Xen backend, which might allow attackers to obtain sensitive password information by reading log files or other unspecified vectors.
How to fix CVE-2015-8749
To remediate CVE-2015-8749, upgrade the affected package to a fixed version below.
- —upgrade to 2:13.0.0~rc3-1 or later
- —upgrade to 12.0.1 or later
Is CVE-2015-8749 being exploited?
Low — EPSS is 0.9%, meaning exploitation activity has not been observed at scale.
Affected packages (2)
- from 0, < 2:13.0.0~rc3-1
- >= 12.0.0, < 12.0.1
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | MEDIUM5.9 | CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N |