OSSA-2014-004: Glance Swift store backend password leak

OSSA-2014-004: Glance Swift store backend password leak


February 12, 2014




  • Glance: 2013.2 versions up to 2013.2.1


Nikhil Komawar from Rackspace reported an information leak in Glance logs. The password for the Swift store backend is logged at WARNING level as part of the URL when authentication to a store fails if image location is not disabled by policy or the store is a single-tenant configuration. An attacker with access to the logs (local shell, log aggregation system access, or accidental leak) may leverage this vulnerability to elevate privileges and gain direct full access to the Glance Swift store backend. Only Glance setups using the Swift store backend are affected.


  • Nikhil Komawar from Rackspace (CVE-2014-1948)

Creative Commons Attribution 3.0 License

Except where otherwise noted, this document is licensed under Creative Commons Attribution 3.0 License. See all OpenStack Legal Documents.