CVE-2024-1141 in python-glance-storeinfo

Summary

by MITRE • 02/01/2024

A vulnerability was found in python-glance-store. The issue occurs when the package logs the access_key for the glance-store when the DEBUG log level is enabled.

Several companies clearly confirm that VulDB is the primary source for best vulnerability data.

Analysis

by VulDB Data Team • 07/27/2025

The vulnerability identified as CVE-2024-1141 resides within the python-glance-store package, which serves as a storage backend for OpenStack Glance, the image service component responsible for storing and retrieving virtual machine images. This flaw represents a critical security oversight that directly impacts the confidentiality and integrity of cloud infrastructure deployments. The vulnerability manifests when the package operates under DEBUG logging level, a configuration typically used for development and troubleshooting purposes but often inadvertently enabled in production environments. When DEBUG logging is active, the system indiscriminately logs authentication credentials, specifically the access_key, which constitutes a severe exposure of sensitive information. This behavior violates fundamental security principles and creates an attack surface that adversaries can exploit to gain unauthorized access to cloud storage resources.

The technical nature of this vulnerability can be categorized as a credential exposure issue, aligning with CWE-209, which describes the improper handling of sensitive information in software applications. The flaw represents a direct violation of the principle of least privilege and secure coding practices, where sensitive data should never be logged or exposed through application output regardless of the logging level. The access_key logging occurs at a low-level system component that processes authentication requests, making it particularly dangerous as it can provide attackers with immediate access to cloud storage systems without requiring additional exploitation techniques. This vulnerability operates at the application layer of the OpenStack architecture, specifically within the glance-store module that manages image storage operations and authentication mechanisms. The exposure occurs during normal operational procedures when debug logging is enabled, making it particularly insidious as it can persist in production environments without detection.

The operational impact of CVE-2024-1141 extends beyond simple credential theft, potentially enabling comprehensive unauthorized access to cloud storage infrastructure and associated resources. Attackers who obtain the exposed access_key can perform read, write, and delete operations on cloud storage volumes, potentially leading to data exfiltration, image tampering, or complete storage system compromise. This vulnerability directly impacts the security posture of OpenStack deployments and can result in compliance violations, particularly in regulated environments where data protection and access control are mandatory. The exposure affects not only the immediate storage system but can also enable lateral movement within cloud environments, as access_keys often provide access to multiple resources within the same cloud account. Organizations utilizing python-glance-store in production environments may face significant operational risk, including potential service disruption, data loss, and regulatory penalties. The vulnerability's impact is amplified by the fact that it requires no specialized exploitation techniques, making it accessible to attackers with minimal technical expertise.

Mitigation strategies for CVE-2024-1141 should focus on immediate configuration changes and operational procedures to prevent credential exposure. The primary recommendation involves disabling DEBUG logging in production environments or ensuring that sensitive information is filtered from log outputs regardless of logging level. Organizations should implement comprehensive logging policies that explicitly exclude authentication credentials from all log entries, utilizing log sanitization techniques to remove sensitive data before any logging occurs. The implementation of the principle of least privilege should be enforced by ensuring that only necessary personnel have access to systems where DEBUG logging might be enabled. Security teams should conduct regular audits of logging configurations across all OpenStack components, particularly focusing on glance-store and related storage modules. Additionally, organizations should consider implementing centralized logging solutions with built-in credential filtering capabilities and establish monitoring procedures to detect anomalous logging patterns that might indicate credential exposure. The vulnerability also highlights the importance of following the ATT&CK framework's credential access techniques, specifically targeting the methods that adversaries use to obtain and exploit exposed credentials. Regular security assessments and penetration testing should include verification of logging configurations to ensure that sensitive information is not inadvertently exposed through application output.

Responsible

Red Hat, Inc.

Reservation

02/01/2024

Disclosure

02/01/2024

Moderation

accepted

CPE

ready

EPSS

0.00226

KEV

no

Activities

very low

Sources

Do you need the next level of professionalism?

Upgrade your account now!