[OSSA-2019-006] Credentials API allows listing and retrieving of all users credentials (CVE-2019-19687)

Gage Hugo gagehugo at gmail.com
Wed Dec 11 16:32:14 UTC 2019 

=====================================================================================
OSSA-2019-006: Credentials API allows listing and retrieving of all users
credentials
=====================================================================================

:Date: December 09, 2019
:CVE: CVE-2019-19687


Affects
~~~~~~~
- Keystone: ==15.0.0, ==16.0.0


Description
~~~~~~~~~~~
Daniel Preussker reported a vulnerability in Keystone's list
credentials API. Any user with a role on a project is able to list any
credentials with the /v3/credentials API when [oslo_policy]
enforce_scope is false. Users with a role on a project are able to
view any other users credentials, which could leak sign-on information
for Time-based One Time Passwords (TOTP) or othewise. Deployments
running keystone with [oslo_policy] enforce_scope set to false are
affected. There will be a slight performance impact for the list
credentials API once this issue is fixed.


Patches
~~~~~~~
- https://review.opendev.org/697731 (Stein)
- https://review.opendev.org/697611 (Train)
- https://review.opendev.org/697355 (Ussuri)


Credits
~~~~~~~
- Daniel Preussker (CVE-2019-19687)


References
~~~~~~~~~~
- https://bugs.launchpad.net/keystone/+bug/1855080
- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19687
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-discuss/attachments/20191211/a877344e/attachment.html>
-------------- next part --------------
-----BEGIN PGP SIGNATURE-----

iQIzBAABCgAdFiEEWa125cLHIuv6ekof56j9K3b+vREFAl3xGeUACgkQ56j9K3b+
vRGIFw/8CNnL2aDqOi+7AcCH5alknVoWJS5Dd/EymQVDI07vbe4yneghwcQwEs6S
BUR25+xB5ukjPJdxsILTrm4UbhEMPUzjgT7PQN71Q1/ge8XY1YIRzBwMnjYm0nQr
sYRBl8L1OQ3CQsAtnH+hB/qMCkxlQeXtOMiBcz3/1B2qcH/AruXtJxhVD9swJHew
fOn5WNdODlDPKCmls0xK6csZX4RBcsXc04aPr3fSuOIzcwNZ260sr+8MfeTr3mi3
SO4t2uYQgQmhgaPnvM3tyMFa+ry+mFvq6MFigPUhp+Akd0eYasHa3rg6/I/LQO0Z
ImWCSAnjntWigbyhQhLrxIIEdoxu/vgTVCciPWtgwMfxDOLw1jhj3kBzdeb3S5pA
yoyY1+H8nXaze2UQOfbM1FHyO2cTkOjyzVdbrF5bg8vNl4haL5egu6UVD018H5pc
voJwcrxgJUobO+kTzuOpjWzlHeqRryLXDhH191cVKoUBIgIpi0KEbyBOIAwMNciU
vkvNqRDi9rGfaM+QWUWgf12G2FRnkqmFqbnlLY6hpz5uinueEVn7iTC2LnfBA+Um
GX0qsWv4L3dQXf9rtTdCNpGvw7nsBGcqYqUw9C7piAVKfGDZ6LBiuQbseW+ONLCK
7vq7rLyJq9JCjwIWr53d8lLp0hLTrV/bH5hcICusEY3WfH+cJZs=
=pUkl
-----END PGP SIGNATURE-----

More information about the openstack-discuss mailing list