OpenStack Security Advisory: 2013-013 CVE: CVE-2013-2013 Date: May 23, 2013 Title: Keystone client local information disclosure Reporter: Jake Dahn (Nebula) Products: python-keystoneclient Affects: All versions Description: Jake Dahn from Nebula reported a vulnerability that the keystone client only allows passwords to be updated in a clear text command-line argument, which may enable other local users to obtain sensitive information by listing the process and potentially leaves a record of the password within the shell command history. Fix: https://review.openstack.org/28702 Notes: A fix has already been merged to the python-keystoneclient master branch on 2013-05-21 (commit f2e0818) which adds an interactive password prompt, and will appear in the next release of python-keystoneclient. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2013 https://bugs.launchpad.net/python-keystoneclient/+bug/938315 -- Jeremy Stanley (fungi) OpenStack Vulnerability Management Team