OSSA-2018-002: GET /v3/OS-FEDERATION/projects leaks project information

Date:July 25, 2018


  • Keystone: <11.0.4, ==12.0.0, ==13.0.0


Kristi Nikolla with Boston University reported a vulnerability in Keystone federation. By doing GET /v3/OS-FEDERATION/projects an authenticated user may discover projects they have no authority to access, leaking all projects in the deployment and their attributes. Only Keystone with the /v3/OS-FEDERATION endpoint enabled via policy.json is affected.


  • Kristi Nikolla from Boston University (CVE-2018-14432)

Table Of Contents

Previous topic

OSSA-2018-001: Raw underlying encrypted volume access

Next topic

Apply Restrictive File Permissions

This Page