CVE-2017-2592
An information-disclosure flaw was found in oslo.middleware. Software using the CatchError class could include sensitive values in a traceback's error message. System users could exploit this flaw to obtain sensitive information from OpenStack component error logs (for example, keystone tokens).
Find out more about CVE-2017-2592 from the MITRE CVE dictionary dictionary and NIST NVD.
CVSS v3 metrics
| CVSS3 Base Score | 5.9 |
|---|---|
| CVSS3 Base Metrics | CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:N/A:N |
| Attack Vector | Local |
| Attack Complexity | Low |
| Privileges Required | Low |
| User Interaction | Required |
| Scope | Changed |
| Confidentiality | High |
| Integrity Impact | None |
| Availability Impact | None |
Red Hat Security Errata
| Platform | Errata | Release Date |
|---|---|---|
| Red Hat OpenStack Platform 10 (python-oslo-middleware) | RHSA-2017:0300 | 2017-02-22 |
| Red Hat OpenStack Platform 9.0 (python-oslo-middleware) | RHSA-2017:0435 | 2017-03-02 |
Affected Packages State
| Platform | Package | State |
|---|---|---|
| Red Hat OpenStack Platform 8.0 (Liberty) | python-oslo-middleware | Not affected |
| Red Hat OpenStack Platform 11.0 (Ocata) | python-oslo-middleware | Not affected |
| Red Hat Gluster Storage 3.1 | python-oslo-middleware | Not affected |
| Red Hat Enterprise Linux OpenStack Platform 7.0 (Kilo) for RHEL 7 | python-oslo-middleware | Not affected |
| Red Hat Enterprise Linux OpenStack Platform 6.0 (Juno) for RHEL 7 | python-oslo-middleware | Not affected |
| Red Hat Enterprise Linux OpenStack Platform 5.0 (Icehouse) | python-oslo-middleware | Not affected |