CVE-2018-14432
openstack-keystone: Information Exposure through /v3/OS-FEDERATION/projects
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
0Exploited in Wild
-Decision
Descriptions
In the Federation component of OpenStack Keystone before 11.0.4, 12.0.0, and 13.0.0, an authenticated "GET /v3/OS-FEDERATION/projects" request may bypass intended access restrictions on listing projects. An authenticated user may discover projects they have no authority to access, leaking all projects in the deployment and their attributes. Only Keystone with the /v3/OS-FEDERATION endpoint enabled via policy.json is affected.
En el componente Federation de OpenStack Keystone en versiones anteriores a la 11.0.4, 12.0.0 y 13.0.0, una petición "GET /v3/OS-FEDERATION/projects" autenticada podría omitir las restricciones de acceso planeadas en los proyectos en lista. Un usuario autenticado podría descubrir proyectos a los que no están autorizados a acceder, filtrando todos los proyectos desplegados y sus atributos. Solo se ha visto afectado Keystone con el endpoint /v3/OS-FEDERATION habilitado mediante policy.json.
A flaw was found in Keystone federation. By doing GET /v3/OS-FEDERATION/projects an authenticated user may discover projects they have no authority to access, leaking all projects in the deployment and their attributes. Only Keystone with the /v3/OS-FEDERATION endpoint enabled via policy.json is affected.
CVSS Scores
SSVC
- Decision:-
Timeline
- 2018-07-19 CVE Reserved
- 2018-07-31 CVE Published
- 2024-02-24 EPSS Updated
- 2024-08-05 CVE Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-200: Exposure of Sensitive Information to an Unauthorized Actor
CAPEC
References (8)
| URL | Tag | Source |
|---|---|---|
| http://www.securityfocus.com/bid/104930 | Third Party Advisory |
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|---|---|
| http://www.openwall.com/lists/oss-security/2018/07/25/2 | 2021-08-04 |
| URL | Date | SRC |
|---|---|---|
| https://access.redhat.com/errata/RHSA-2018:2523 | 2021-08-04 | |
| https://access.redhat.com/errata/RHSA-2018:2533 | 2021-08-04 | |
| https://access.redhat.com/errata/RHSA-2018:2543 | 2021-08-04 | |
| https://www.debian.org/security/2018/dsa-4275 | 2021-08-04 | |
| https://access.redhat.com/security/cve/CVE-2018-14432 | 2018-08-22 | |
| https://bugzilla.redhat.com/show_bug.cgi?id=1606868 | 2018-08-22 |
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Debian Search vendor "Debian" | Debian Linux Search vendor "Debian" for product "Debian Linux" | 9.0 Search vendor "Debian" for product "Debian Linux" and version "9.0" | - |
Affected
| ||||||
| Redhat Search vendor "Redhat" | Openstack Search vendor "Redhat" for product "Openstack" | 10 Search vendor "Redhat" for product "Openstack" and version "10" | - |
Affected
| ||||||
| Redhat Search vendor "Redhat" | Openstack Search vendor "Redhat" for product "Openstack" | 12 Search vendor "Redhat" for product "Openstack" and version "12" | - |
Affected
| ||||||
| Redhat Search vendor "Redhat" | Openstack Search vendor "Redhat" for product "Openstack" | 13 Search vendor "Redhat" for product "Openstack" and version "13" | - |
Affected
| ||||||
| Openstack Search vendor "Openstack" | Keystone Search vendor "Openstack" for product "Keystone" | < 11.0.4 Search vendor "Openstack" for product "Keystone" and version " < 11.0.4" | - |
Affected
| ||||||
| Openstack Search vendor "Openstack" | Keystone Search vendor "Openstack" for product "Keystone" | 12.0.0 Search vendor "Openstack" for product "Keystone" and version "12.0.0" | - |
Affected
| ||||||
| Openstack Search vendor "Openstack" | Keystone Search vendor "Openstack" for product "Keystone" | 13.0.0 Search vendor "Openstack" for product "Keystone" and version "13.0.0" | - |
Affected
| ||||||