CVE-2024-1141 is a vulnerability identified in the python-glance-store package, a component commonly used in OpenStack environments to manage image storage. The issue arises when the package logs sensitive information, specifically the access_key used by glance-store, at the DEBUG log level. This logging behavior can inadvertently expose sensitive credentials in log files, which are often accessible to system administrators or potentially attackers with local access. The vulnerability has a CVSS 3.1 base score of 5.5, indicating medium severity. The vector metrics specify that the attack requires local access (AV:L), low attack complexity (AC:L), privileges (PR:L), no user interaction (UI:N), and impacts confidentiality (C:H) but not integrity or availability. Since the vulnerability only manifests when DEBUG logging is enabled, it is primarily a risk in development or misconfigured production environments where verbose logging is active. There are no known exploits in the wild at this time, and no patches have been linked yet. The vulnerability was published on February 1, 2024, and assigned by Red Hat. The exposure of access_key credentials could allow an attacker with access to logs to gain unauthorized access to image storage resources, potentially leading to further compromise within the cloud infrastructure.

For European organizations, especially those operating private or public clouds using OpenStack, this vulnerability poses a risk of credential leakage through debug logs. Exposure of access_key credentials can lead to unauthorized access to image storage, enabling attackers to read or manipulate virtual machine images, potentially escalating privileges or moving laterally within the cloud environment. While the vulnerability does not directly affect integrity or availability, the confidentiality breach can have cascading effects on overall security posture. Organizations with strict data protection regulations, such as GDPR, may face compliance risks if sensitive credentials are exposed. The risk is heightened in environments where debug logging is enabled in production or where log files are insufficiently protected. However, the requirement for local privileges limits the attack surface to insiders or attackers who have already gained some level of access.

European organizations should immediately audit their logging configurations in OpenStack deployments to ensure DEBUG level logging is disabled in production environments. Access to log files must be strictly controlled using file system permissions and centralized logging solutions with role-based access controls. Implement monitoring to detect unusual access to logs or attempts to enable verbose logging. Once patches or updates addressing this vulnerability are released, promptly apply them to python-glance-store components. Consider rotating any access_key credentials that may have been exposed in logs. Additionally, conduct regular security training for administrators to avoid enabling debug logging unnecessarily and to recognize the risks of sensitive data exposure in logs. Employing secrets management solutions to avoid embedding sensitive keys in configurations can further reduce risk.