In the Federation component of OpenStack Keystone before 11.0.4, 12.0.0, and 13.0.0, an authenticated "GET /v3/OS-FEDERATION/projects" request may bypass intended access restrictions on listing projects. An authenticated user may discover projects they have no authority to access, leaking all projects in the deployment and their attributes. Only Keystone with the /v3/OS-FEDERATION endpoint enabled via policy.json is affected.
References
Link | Resource |
---|---|
http://www.openwall.com/lists/oss-security/2018/07/25/2 | Mailing List Patch Third Party Advisory |
http://www.securityfocus.com/bid/104930 | Third Party Advisory VDB Entry |
https://access.redhat.com/errata/RHSA-2018:2523 | Vendor Advisory |
https://access.redhat.com/errata/RHSA-2018:2533 | Vendor Advisory |
https://access.redhat.com/errata/RHSA-2018:2543 | Vendor Advisory |
https://www.debian.org/security/2018/dsa-4275 | Third Party Advisory |
Configurations
Configuration 1 (hide)
|
Configuration 2 (hide)
|
Configuration 3 (hide)
|
History
No history.
Information
Published : 2018-07-31 14:29
Updated : 2024-02-28 16:48
NVD link : CVE-2018-14432
Mitre link : CVE-2018-14432
CVE.ORG link : CVE-2018-14432
JSON object : View
Products Affected
redhat
- openstack
debian
- debian_linux
openstack
- keystone
CWE
CWE-200
Exposure of Sensitive Information to an Unauthorized Actor