[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Openstack] [OSSA-2018-002] GET /v3/OS-FEDERATION/projects leaks project information (CVE-2018-14432)

OSSA-2018-002: GET /v3/OS-FEDERATION/projects leaks project information

:Date: July 25, 2018
:CVE: CVE-2018-14432

- Keystone: <11.0.4, ==12.0.0, ==13.0.0

Kristi Nikolla with Boston University reported a vulnerability in
Keystone federation. By doing GET /v3/OS-FEDERATION/projects an
authenticated user may discover projects they have no authority to
access, leaking all projects in the deployment and their attributes.
Only Keystone with the /v3/OS-FEDERATION endpoint enabled via
policy.json is affected.

- (Ocata)
- (Pike)
- (Queens)
- (Rocky)

- Kristi Nikolla from Boston University (CVE-2018-14432)

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <>

( ! ) Warning: include(msgfooter.php): failed to open stream: No such file or directory in /var/www/git/openstack/msg40352.html on line 116
Call Stack
10.0007364536{main}( ).../msg40352.html:0

( ! ) Warning: include(): Failed opening 'msgfooter.php' for inclusion (include_path='.:/var/www/git') in /var/www/git/openstack/msg40352.html on line 116
Call Stack
10.0007364536{main}( ).../msg40352.html:0