CVE-2013-2006: OpenStack Keystone Sensitive information disclosure via log files
2.1
CVSS Score
Basic Information
CVE ID
GHSA ID
EPSS Score
0.17388%
CWE
Published
5/17/2022
Updated
11/22/2024
KEV Status
No
Technology
Python
Technical Details
CVSS Vector
AV:L/AC:L/Au:N/C:P/I:N/A:N
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
keystone | pip | < 8.0.0a0 | 8.0.0a0 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability stems from sensitive configuration options not being marked as 'secret' in the logging system. The commit c5037dd explicitly adds 'secret=True' to these two register_str() calls in keystone/common/config.py. Before this fix, the absence of the 'secret' parameter allowed the admin_token and LDAP password to appear in debug logs. These functions are directly responsible for defining how these configuration values are handled by the logging subsystem.