From prometheanfire at gentoo.org  Wed Jul 25 17:56:54 2018
From: prometheanfire at gentoo.org (Matthew Thode)
Date: Wed, 25 Jul 2018 12:56:54 -0500
Subject: [openstack-announce] [OSSA-2018-002] GET /v3/OS-FEDERATION/projects
 leaks project information (CVE-2018-14432)
Message-ID: <20180725175654.tus4pp3wi3ywrfzt@gentoo.org>

=======================================================================
OSSA-2018-002: GET /v3/OS-FEDERATION/projects leaks project information
=======================================================================

:Date: July 25, 2018
:CVE: CVE-2018-14432


Affects
~~~~~~~
- Keystone: <11.0.4, ==12.0.0, ==13.0.0


Description
~~~~~~~~~~~
Kristi Nikolla with Boston University reported a vulnerability in
Keystone federation. By doing GET /v3/OS-FEDERATION/projects an
authenticated user may discover projects they have no authority to
access, leaking all projects in the deployment and their attributes.
Only Keystone with the /v3/OS-FEDERATION endpoint enabled via
policy.json is affected.


Patches
~~~~~~~
- https://review.openstack.org/585802 (Ocata)
- https://review.openstack.org/585792 (Pike)
- https://review.openstack.org/585788 (Queens)
- https://review.openstack.org/585782 (Rocky)


Credits
~~~~~~~
- Kristi Nikolla from Boston University (CVE-2018-14432)


References
~~~~~~~~~~
- https://launchpad.net/bugs/1779205
- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14432
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://lists.openstack.org/pipermail/openstack-announce/attachments/20180725/82a452bd/attachment.sig>