OSSA-2018-002: GET /v3/OS-FEDERATION/projects leaks project information

OSSA-2018-002: GET /v3/OS-FEDERATION/projects leaks project information¶

Date:: July 25, 2018
CVE:: CVE-2018-14432

Affects¶

Keystone: <11.0.4, ==12.0.0, ==13.0.0

Description¶

Kristi Nikolla with Boston University reported a vulnerability in Keystone federation. By doing GET /v3/OS-FEDERATION/projects an authenticated user may discover projects they have no authority to access, leaking all projects in the deployment and their attributes. Only Keystone with the /v3/OS-FEDERATION endpoint enabled via policy.json is affected.

Patches¶

https://review.openstack.org/585802 (Ocata)
https://review.openstack.org/585792 (Pike)
https://review.openstack.org/585788 (Queens)
https://review.openstack.org/585782 (Rocky)

Credits¶

Kristi Nikolla from Boston University (CVE-2018-14432)

References¶

this page last updated: 2024-10-03 16:29:15

Except where otherwise noted, this document is licensed under Creative Commons Attribution 3.0 License. See all OpenStack Legal Documents.