[prev in list] [next in list] [prev in thread] [next in thread]
List: oss-security
Subject: [oss-security] [OSSA-2018-002] GET /v3/OS-FEDERATION/projects leaks project information (CVE-2018-14
From: Matthew Thode <prometheanfire () gentoo ! org>
Date: 2018-07-25 18:00:39
Message-ID: 20180725180039.figvv6qq4ivqdnj5 () gentoo ! org
[Download RAW message or body]
=======================================================================
OSSA-2018-002: GET /v3/OS-FEDERATION/projects leaks project information
=======================================================================
:Date: July 25, 2018
:CVE: CVE-2018-14432
Affects
~~~~~~~
- Keystone: <11.0.4, ==12.0.0, ==13.0.0
Description
~~~~~~~~~~~
Kristi Nikolla with Boston University reported a vulnerability in
Keystone federation. By doing GET /v3/OS-FEDERATION/projects an
authenticated user may discover projects they have no authority to
access, leaking all projects in the deployment and their attributes.
Only Keystone with the /v3/OS-FEDERATION endpoint enabled via
policy.json is affected.
Patches
~~~~~~~
- https://review.openstack.org/585802 (Ocata)
- https://review.openstack.org/585792 (Pike)
- https://review.openstack.org/585788 (Queens)
- https://review.openstack.org/585782 (Rocky)
Credits
~~~~~~~
- Kristi Nikolla from Boston University (CVE-2018-14432)
References
~~~~~~~~~~
- https://launchpad.net/bugs/1779205
- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14432
["signature.asc" (application/pgp-signature)]
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic