CVE-2024-1141 is a vulnerability identified in the python-glance-store package, a component commonly used in OpenStack environments to manage image storage. The flaw occurs when the package logs the access_key used for authentication at the DEBUG log level. This results in sensitive credential data being written to log files, which can be accessed by users or processes with permissions to read these logs. The vulnerability has a CVSS 3.1 base score of 5.5, indicating medium severity. The attack vector is local (AV:L), requiring low privileges (PR:L) but no user interaction (UI:N). The scope is unchanged (S:U), and the impact is high on confidentiality (C:H) but none on integrity or availability (I:N/A:N). Although no public exploits are known, the exposure of access keys in logs can facilitate unauthorized access to cloud resources if log files are improperly secured. This vulnerability highlights the risk of excessive logging of sensitive data, especially in debug modes that are sometimes enabled in development or troubleshooting scenarios but should be avoided in production. The issue is particularly relevant for organizations using OpenStack with python-glance-store, as leaked access keys could compromise cloud image storage and related services.

For European organizations, the primary impact is the potential exposure of sensitive access keys used in OpenStack cloud environments, which could lead to unauthorized access to cloud image storage and related resources. This compromises confidentiality and could facilitate further attacks or data breaches. Organizations with insufficient log management or weak access controls on log files are at higher risk. The vulnerability does not directly affect system integrity or availability but can be a stepping stone for attackers to escalate privileges or move laterally within cloud infrastructure. The medium severity indicates a moderate risk, but the impact is amplified in environments where debug logging is enabled in production or where logs are accessible by multiple users or systems. This could affect cloud service providers, enterprises running private clouds, and public sector organizations relying on OpenStack. The lack of known exploits reduces immediate risk but does not eliminate the need for prompt mitigation.

European organizations should immediately audit their logging configurations in OpenStack environments using python-glance-store. Specifically, disable DEBUG level logging in production systems to prevent sensitive data from being logged. Implement strict access controls on log files, ensuring only authorized personnel and processes can read them. Monitor logs for any unusual access patterns and consider encrypting log files at rest. Update python-glance-store to the latest patched version as soon as it becomes available from the vendor or community. Additionally, review and rotate any potentially exposed access keys to invalidate credentials that may have been logged. Incorporate logging best practices by sanitizing or redacting sensitive information before it is logged. Finally, educate development and operations teams about the risks of excessive logging and enforce policies to avoid enabling debug logs in production environments.