[openstack-announce] [OSSA 2014-029] Configuration option leak through Keystone catalog (CVE-2014-3621)

Tristan Cacqueray tristan.cacqueray at enovance.com
Tue Sep 16 19:31:30 UTC 2014

OpenStack Security Advisory: 2014-029
CVE: CVE-2014-3621
Date: September 16, 2014

Title: Configuration option leak through Keystone catalog
Reporter: Brant Knudson (IBM)
Products: Keystone
Versions: up to 2013.2.3 and 2014.1 versions up to 2014.1.2.1

Brant Knudson from IBM reported a vulnerability in Keystone catalog url
replacement. By creating a malicious endpoint a privileged user may
reveal configuration options resulting in sensitive information, like
master admin_token, being exposed through the service url. All Keystone
setups that allow non-admin users to create endpoints are affected.

Juno (development branch) fix:

Icehouse fix:

Havana fix:

This fix will be included in the Juno release 2014.2.0 and in future
stable 2013.2.4 and 2014.1.3 releases.


Tristan Cacqueray
OpenStack Vulnerability Management Team

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 473 bytes
Desc: OpenPGP digital signature
URL: <http://lists.openstack.org/pipermail/openstack-announce/attachments/20140916/0f277814/attachment.pgp>

More information about the OpenStack-announce mailing list