{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-1141", "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "state": "PUBLISHED", "assignerShortName": "redhat", "dateReserved": "2024-02-01T00:47:57.686Z", "datePublished": "2024-02-01T14:21:37.758Z", "dateUpdated": "2024-11-24T14:50:21.545Z"}, "containers": {"cna": {"title": "Glance-store: glance store access key logged in debug log level", "metrics": [{"other": {"content": {"value": "Moderate", "namespace": "https://access.redhat.com/security/updates/classification/"}, "type": "Red Hat severity rating"}}, {"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "format": "CVSS"}], "descriptions": [{"lang": "en", "value": "A vulnerability was found in python-glance-store. The issue occurs when the package logs the access_key for the glance-store when the DEBUG log level is enabled."}], "affected": [{"versions": [{"status": "affected", "version": "0", "lessThan": "4.7.0", "versionType": "custom"}], "packageName": "glance-store", "collectionURL": "https://github.com/openstack/glance_store/", "defaultStatus": "unaffected"}, {"vendor": "Red Hat", "product": "Red Hat OpenStack Platform 17.1 for RHEL 9", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "python-glance-store", "defaultStatus": "affected", "versions": [{"version": "0:2.5.1-17.1.20230621023901.el9ost", "lessThan": "*", "versionType": "rpm", "status": "unaffected"}], "cpes": ["cpe:/a:redhat:openstack:17.1::el9"]}, {"vendor": "Red Hat", "product": "Red Hat OpenStack Platform 16.1", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "python-glance-store", "defaultStatus": "unknown", "cpes": ["cpe:/a:redhat:openstack:16.1"]}, {"vendor": "Red Hat", "product": "Red Hat OpenStack Platform 16.2", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "python-glance-store", "defaultStatus": "unknown", "cpes": ["cpe:/a:redhat:openstack:16.2"]}, {"vendor": "Red Hat", "product": "Red Hat OpenStack Platform 18.0", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "python-glance-store", "defaultStatus": "affected", "cpes": ["cpe:/a:redhat:openstack:18.0"]}], "references": [{"url": "https://access.redhat.com/errata/RHSA-2024:2732", "name": "RHSA-2024:2732", "tags": ["vendor-advisory", "x_refsource_REDHAT"]}, {"url": "https://access.redhat.com/security/cve/CVE-2024-1141", "tags": ["vdb-entry", "x_refsource_REDHAT"]}, {"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2258836", "name": "RHBZ#2258836", "tags": ["issue-tracking", "x_refsource_REDHAT"]}], "datePublic": "2024-01-17T00:00:00+00:00", "problemTypes": [{"descriptions": [{"cweId": "CWE-779", "description": "Logging of Excessive Data", "lang": "en", "type": "CWE"}]}], "x_redhatCweChain": "CWE-779: Logging of Excessive Data", "workarounds": [{"lang": "en", "value": "Avoid leaving the DEBUG log level enabled in critical environments."}], "timeline": [{"lang": "en", "time": "2024-01-17T00:00:00+00:00", "value": "Reported to Red Hat."}, {"lang": "en", "time": "2024-01-17T00:00:00+00:00", "value": "Made public."}], "credits": [{"lang": "en", "value": "Red Hat would like to thank Lujie (ICT) for reporting this issue."}], "providerMetadata": {"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat", "dateUpdated": "2024-11-24T14:50:21.545Z"}}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-1141", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-02-01T20:50:59.471008Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-06-04T18:00:46.862Z"}}, {"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-01T18:26:30.566Z"}, "title": "CVE Program Container", "references": [{"url": "https://access.redhat.com/errata/RHSA-2024:2732", "name": "RHSA-2024:2732", "tags": ["vendor-advisory", "x_refsource_REDHAT", "x_transferred"]}, {"url": "https://access.redhat.com/security/cve/CVE-2024-1141", "tags": ["vdb-entry", "x_refsource_REDHAT", "x_transferred"]}, {"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2258836", "name": "RHBZ#2258836", "tags": ["issue-tracking", "x_refsource_REDHAT", "x_transferred"]}]}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://access.redhat.com/errata/RHSA-2024:2732", "name": "RHSA-2024:2732", "tags": ["vendor-advisory", "x_refsource_REDHAT", "x_transferred"]}, {"url": "https://access.redhat.com/security/cve/CVE-2024-1141", "tags": ["vdb-entry", "x_refsource_REDHAT", "x_transferred"]}, {"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2258836", "name": "RHBZ#2258836", "tags": ["issue-tracking", "x_refsource_REDHAT", "x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-01T18:26:30.566Z"}}, {"metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-1141", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-02-01T20:50:59.471008Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-04-29T17:57:33.644Z"}, "title": "CISA ADP Vulnrichment"}], "cna": {"title": "Glance-store: glance store access key logged in debug log level", "credits": [{"lang": "en", "value": "Red Hat would like to thank Lujie (ICT) for reporting this issue."}], "metrics": [{"other": {"type": "Red Hat severity rating", "content": {"value": "Moderate", "namespace": "https://access.redhat.com/security/updates/classification/"}}}, {"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.5, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}], "affected": [{"versions": [{"status": "affected", "version": "0", "lessThan": "4.7.0", "versionType": "custom"}], "packageName": "glance-store", "collectionURL": "https://github.com/openstack/glance_store/", "defaultStatus": "unaffected"}, {"cpes": ["cpe:/a:redhat:openstack:17.1::el9"], "vendor": "Red Hat", "product": "Red Hat OpenStack Platform 17.1 for RHEL 9", "versions": [{"status": "unaffected", "version": "0:2.5.1-17.1.20230621023901.el9ost", "lessThan": "*", "versionType": "rpm"}], "packageName": "python-glance-store", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "affected"}, {"cpes": ["cpe:/a:redhat:openstack:16.1"], "vendor": "Red Hat", "product": "Red Hat OpenStack Platform 16.1", "packageName": "python-glance-store", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "unknown"}, {"cpes": ["cpe:/a:redhat:openstack:16.2"], "vendor": "Red Hat", "product": "Red Hat OpenStack Platform 16.2", "packageName": "python-glance-store", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "unknown"}, {"cpes": ["cpe:/a:redhat:openstack:18.0"], "vendor": "Red Hat", "product": "Red Hat OpenStack Platform 18.0", "packageName": "python-glance-store", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "affected"}], "timeline": [{"lang": "en", "time": "2024-01-17T00:00:00+00:00", "value": "Reported to Red Hat."}, {"lang": "en", "time": "2024-01-17T00:00:00+00:00", "value": "Made public."}], "datePublic": "2024-01-17T00:00:00+00:00", "references": [{"url": "https://access.redhat.com/errata/RHSA-2024:2732", "name": "RHSA-2024:2732", "tags": ["vendor-advisory", "x_refsource_REDHAT"]}, {"url": "https://access.redhat.com/security/cve/CVE-2024-1141", "tags": ["vdb-entry", "x_refsource_REDHAT"]}, {"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2258836", "name": "RHBZ#2258836", "tags": ["issue-tracking", "x_refsource_REDHAT"]}], "workarounds": [{"lang": "en", "value": "Avoid leaving the DEBUG log level enabled in critical environments."}], "descriptions": [{"lang": "en", "value": "A vulnerability was found in python-glance-store. The issue occurs when the package logs the access_key for the glance-store when the DEBUG log level is enabled."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-779", "description": "Logging of Excessive Data"}]}], "providerMetadata": {"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat", "dateUpdated": "2024-11-24T14:50:21.545Z"}, "x_redhatCweChain": "CWE-779: Logging of Excessive Data"}}, "cveMetadata": {"cveId": "CVE-2024-1141", "state": "PUBLISHED", "dateUpdated": "2024-11-24T14:50:21.545Z", "dateReserved": "2024-02-01T00:47:57.686Z", "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "datePublished": "2024-02-01T14:21:37.758Z", "assignerShortName": "redhat"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:openstack:glance-store:*:*:*:*:*:*:*:*", "matchCriteriaId": "0F458E5B-E294-4754-9588-C7870DC094DD", "versionEndExcluding": "4.7.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "A vulnerability was found in python-glance-store. The issue occurs when the package logs the access_key for the glance-store when the DEBUG log level is enabled."}, {"lang": "es", "value": "Se encontr\u00f3 una vulnerabilidad en python-glance-store. El problema ocurre cuando el paquete registra la clave de acceso para el almac\u00e9n de vistazo cuando el nivel de registro DEBUG est\u00e1 habilitado."}], "id": "CVE-2024-1141", "lastModified": "2024-11-21T08:49:53.540", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 3.6, "source": "secalert@redhat.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2024-02-01T15:15:08.547", "references": [{"source": "secalert@redhat.com", "url": "https://access.redhat.com/errata/RHSA-2024:2732"}, {"source": "secalert@redhat.com", "tags": ["Third Party Advisory"], "url": "https://access.redhat.com/security/cve/CVE-2024-1141"}, {"source": "secalert@redhat.com", "tags": ["Issue Tracking"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2258836"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://access.redhat.com/errata/RHSA-2024:2732"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://access.redhat.com/security/cve/CVE-2024-1141"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Issue Tracking"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2258836"}], "sourceIdentifier": "secalert@redhat.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-779"}], "source": "secalert@redhat.com", "type": "Secondary"}, {"description": [{"lang": "en", "value": "NVD-CWE-noinfo"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"acknowledgement": "Red Hat would like to thank Lujie (ICT) for reporting this issue.", "affected_release": [{"advisory": "RHSA-2024:2732", "cpe": "cpe:/a:redhat:openstack:17.1::el9", "package": "python-glance-store-0:2.5.1-17.1.20230621023901.el9ost", "product_name": "Red Hat OpenStack Platform 17.1 for RHEL 9", "release_date": "2024-05-22T00:00:00Z"}], "bugzilla": {"description": "glance-store: Glance Store access key logged in DEBUG log level", "id": "2258836", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2258836"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.5", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "status": "verified"}, "cwe": "CWE-779", "details": ["A vulnerability was found in python-glance-store. The issue occurs when the package logs the access_key for the glance-store when the DEBUG log level is enabled.", "A vulnerability was found in python-glance-store. The issue occurs when the package logs the access_key for the glance-store when the DEBUG log level is enabled."], "mitigation": {"lang": "en:us", "value": "Avoid leaving the DEBUG log level enabled in critical environments."}, "name": "CVE-2024-1141", "package_state": [{"cpe": "cpe:/a:redhat:openstack:16.1", "fix_state": "Out of support scope", "package_name": "python-glance-store", "product_name": "Red Hat OpenStack Platform 16.1"}, {"cpe": "cpe:/a:redhat:openstack:16.2", "fix_state": "Out of support scope", "package_name": "python-glance-store", "product_name": "Red Hat OpenStack Platform 16.2"}, {"cpe": "cpe:/a:redhat:openstack:18.0", "fix_state": "Affected", "package_name": "python-glance-store", "product_name": "Red Hat OpenStack Platform 18.0"}], "public_date": "2024-01-17T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2024-1141\nhttps://nvd.nist.gov/vuln/detail/CVE-2024-1141"], "statement": "Red Hat Product Security rates this as a Moderate impact since the DEBUG log levels are normally not enabled in production environments. Also, an attacker would need access to both to change the log level and to read the log levels, which would imply the system is already compromised.", "threat_severity": "Moderate"}