Comment 10 for bug 1628031
Revision history for this message
| Matthew Edmonds (edmondsw) wrote Re: keystonemiddleware logs token in stacktrace | #10 |
© 2004
Canonical Ltd.
•
Terms of use
•
Data privacy
•
Contact Launchpad Support
•
Blog
•
Careers
•
System status
•
0e1f616
(Get the code!)
There's probably some standard way of deciding how to fill the "Affects" line, which this probably meets, but it seems odd. Isn't the value in comment 8 equivalent to "<=2.8.0, >=3.0.0 <=3.20.0", unless there are 3.8.x and 3.19.x versions that aren't affected? And I don't see how that would be possible.
I would be ok with the description in comment 8, but something like the following might be better:
Divya K Konoor with IBM reported a vulnerability in oslo.middleware. Software using the CatchError class may include sensitive values in the error message accompanying a Traceback, resulting in their disclosure. For example keystone tokens included in API request headers may leak into neutron error logs.