OSSA-2014-029: Configuration option leak through Keystone catalog

OSSA-2014-029: Configuration option leak through Keystone catalog

Date:September 16, 2014
CVE:CVE-2014-3621

Affects

  • Keystone: up to 2013.2.3 and 2014.1 versions up to 2014.1.2.1

Description

Brant Knudson from IBM reported a vulnerability in Keystone catalog url replacement. By creating a malicious endpoint a privileged user may reveal configuration options resulting in sensitive information, like master admin_token, being exposed through the service url. All Keystone setups that allow non-admin users to create endpoints are affected.

Credits

  • Brant Knudson from IBM (CVE-2014-3621)
Creative Commons Attribution 3.0 License

Except where otherwise noted, this document is licensed under Creative Commons Attribution 3.0 License. See all OpenStack Legal Documents.