Thanks for looking into this, Gorka. Note to anyone reading this thread: openstack-discuss is a public mailing list. If you come across a possible security issue that you want to report, please follow the process explained here: "How to report security issues to OpenStack" https://security.openstack.org/reporting.html cheers, brian On 8/13/24 9:46 AM, Gorka Eguileor wrote:
Hi,
I checked the list and they are all in unit tests, so no real security issues there.
The one in nexenta utils it's just the default password, which is also documented, so not a vulnerability in itself either.
Cheers, Gorka.
On 13/08, jiawei_zhou@seu.edu.cn wrote:
Dear developers of the project(cinder),
We are software security researchers, currently conducting research on secret detection and leakage risk within the open-source ecosystem.
In our analysis, we identified potential secret leakage risks in your project, cinder.
We provide the detail of our findings in the attachment, which allows you to locate the potential leaked secrets. Below is an interpretation of the attached data:
{ 'file': '', #The file containing the secret #The project name, version or commit_hash may be reflected in the file path 'line_start': 1, #location: Start line of the secret 'line_end': 28, #location: End line of the secret 'col_start': 1, #location: Start column of the secret 'col_end': 1, #location: End column of the secret 'index_start': 0, #location: Start index of the secret 'index_end': 1675, #location: End index of the secret }
Declaration: we hereby declare that we have *NOT* conducted any verification test or exploit on the identified secrets. we plan to publish related research papers in the future, and the relevant content MIGHT BE ACCESS TO THE PUBLIC due to the 90-day disclosure policy.
Some advise:
1. If the leaked secret is sensitive and still valid, invalid and rotate the secret immediately. 2. Some secrets seem to be used only in testing environment. Although probably harmless, it is considered bad practices to include secrets for test environment in release builds.
Best regards,