[openstack-announce] [OSSA 2013-013] Keystone client local information disclosure (CVE-2013-2013)

Jeremy Stanley jeremy at openstack.org
Thu May 23 20:52:12 UTC 2013


OpenStack Security Advisory: 2013-013
CVE: CVE-2013-2013
Date: May 23, 2013
Title: Keystone client local information disclosure
Reporter: Jake Dahn (Nebula)
Products: python-keystoneclient
Affects: All versions

Description:
Jake Dahn from Nebula reported a vulnerability that the keystone
client only allows passwords to be updated in a clear text
command-line argument, which may enable other local users to obtain
sensitive information by listing the process and potentially leaves
a record of the password within the shell command history.

Fix:
https://review.openstack.org/28702

Notes:
A fix has already been merged to the python-keystoneclient master
branch on 2013-05-21 (commit f2e0818) which adds an interactive
password prompt, and will appear in the next release of
python-keystoneclient.

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2013
https://bugs.launchpad.net/python-keystoneclient/+bug/938315

-- 
Jeremy Stanley (fungi)
OpenStack Vulnerability Management Team
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 966 bytes
Desc: Digital signature
URL: <http://lists.openstack.org/pipermail/openstack-announce/attachments/20130523/207943a5/attachment.pgp>


More information about the OpenStack-announce mailing list