OSSA-2014-029: Configuration option leak through Keystone catalog¶
September 16, 2014
Keystone: up to 2013.2.3 and 2014.1 versions up to 2014.1.2.1
Brant Knudson from IBM reported a vulnerability in Keystone catalog url replacement. By creating a malicious endpoint a privileged user may reveal configuration options resulting in sensitive information, like master admin_token, being exposed through the service url. All Keystone setups that allow non-admin users to create endpoints are affected.
Brant Knudson from IBM (CVE-2014-3621)