Date: Wed, 25 Jul 2018 13:00:39 -0500 From: Matthew Thode <prometheanfire@...too.org> To: oss-security@...ts.openwall.com Subject: [OSSA-2018-002] GET /v3/OS-FEDERATION/projects leaks project information (CVE-2018-14432) ======================================================================= OSSA-2018-002: GET /v3/OS-FEDERATION/projects leaks project information ======================================================================= :Date: July 25, 2018 :CVE: CVE-2018-14432 Affects ~~~~~~~ - Keystone: <11.0.4, ==12.0.0, ==13.0.0 Description ~~~~~~~~~~~ Kristi Nikolla with Boston University reported a vulnerability in Keystone federation. By doing GET /v3/OS-FEDERATION/projects an authenticated user may discover projects they have no authority to access, leaking all projects in the deployment and their attributes. Only Keystone with the /v3/OS-FEDERATION endpoint enabled via policy.json is affected. Patches ~~~~~~~ - https://review.openstack.org/585802 (Ocata) - https://review.openstack.org/585792 (Pike) - https://review.openstack.org/585788 (Queens) - https://review.openstack.org/585782 (Rocky) Credits ~~~~~~~ - Kristi Nikolla from Boston University (CVE-2018-14432) References ~~~~~~~~~~ - https://launchpad.net/bugs/1779205 - http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14432 Download attachment "signature.asc" of type "application/pgp-signature" (834 bytes)
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ