OSSA-2014-029: Configuration option leak through Keystone catalog

OSSA-2014-029: Configuration option leak through Keystone catalog¶

Date:: September 16, 2014
CVE:: CVE-2014-3621

Affects¶

Keystone: up to 2013.2.3 and 2014.1 versions up to 2014.1.2.1

Description¶

Brant Knudson from IBM reported a vulnerability in Keystone catalog url replacement. By creating a malicious endpoint a privileged user may reveal configuration options resulting in sensitive information, like master admin_token, being exposed through the service url. All Keystone setups that allow non-admin users to create endpoints are affected.

Patches¶

Credits¶

Brant Knudson from IBM (CVE-2014-3621)

References¶

this page last updated: 2024-10-03 16:29:15

Creative Commons Attribution 3.0 License

Except where otherwise noted, this document is licensed under Creative Commons Attribution 3.0 License. See all OpenStack Legal Documents.