Miggo Logo

CVE-2011-4076: OpenStack Nova Exposure of Sensitive Information to an Unauthorized Actor

5.9

CVSS Score
3.1

Basic Information

EPSS Score
0.60422%
Published
4/22/2022
Updated
5/8/2024
KEV Status
No
Technology
TechnologyPython

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
novapip< 12.0.0a012.0.0a0

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stemmed from improper error handling that revealed sensitive credentials. The commits b1ab6da and beee11e modified these repr methods to exclude sensitive fields, confirming their role in the exposure. The original implementations returned full user/project details (including secrets) during authentication failures, which aligned with the CVE's description of EC2_SECRET_KEY leakage via error messages.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

Op*nSt**k Nov* ***or* ****.* *llows som*on* wit* ****ss to *n ***_****SS_K*Y (*quiv*l*nt to * us*rn*m*) to o*t*in t** ***_S**R*T_K*Y (*quiv*l*nt to * p*sswor*). *xposin* t** ***_****SS_K*Y vi* *ttp or tools t**t *llow m*n-in-t**-mi**l* ov*r *ttps *ou

Reasoning

T** vuln*r**ility st*mm** *rom improp*r *rror **n*lin* t**t r*v**l** s*nsitiv* *r***nti*ls. T** *ommits ******* *n* ******* mo*i*i** t**s* __r*pr__ m*t*o*s to *x*lu** s*nsitiv* *i*l*s, *on*irmin* t**ir rol* in t** *xposur*. T** ori*in*l impl*m*nt*tio