CVE-2019-19687
openstack-keystone: Credentials API allows non-admin to list and retrieve all users credentials
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
1Exploited in Wild
-Decision
Descriptions
OpenStack Keystone 15.0.0 and 16.0.0 is affected by Data Leakage in the list credentials API. Any user with a role on a project is able to list any credentials with the /v3/credentials API when enforce_scope is false. Users with a role on a project are able to view any other users' credentials, which could (for example) leak sign-on information for Time-based One Time Passwords (TOTP). Deployments with enforce_scope set to false are affected. (There will be a slight performance impact for the list credentials API once this issue is fixed.)
OpenStack Keystone versiones 15.0.0 y 16.0.0, está afectado por un Filtrado de Datos en la API de credenciales de lista. Cualquier usuario con un rol en un proyecto es capaz de enumerar cualquier credencial con la API de /v3/credentials cuando la función enforce_scope es falsa. Los usuarios con un rol en un proyecto pueden visualizar las credenciales de cualquier otro usuario, lo que podría (por ejemplo) filtrar información de inicio de sesión de Time-based One Time Passwords (TOTP). Las implementaciones con la función enforce_scope establecida en false están afectadas. (Habrá un ligero impacto en el rendimiento de la API de credenciales de lista una vez que este problema sea corregido).
A disclosure vulnerability was found in openstack-keystone's credentials API. Users with a project role are able to list any credentials with the /v3/credentials API when enforce_scope is false. Information for time-based one time passwords (TOTP) may also be disclosed. Deployments running keystone with enforce_scope set to false are also affected. There will be a slight performance impact for the list credentials API once this issue is fixed.
CVSS Scores
SSVC
- Decision:-
Timeline
- 2019-12-09 CVE Reserved
- 2019-12-09 CVE Published
- 2024-04-03 EPSS Updated
- 2024-08-05 CVE Updated
- 2024-08-05 First Exploit
- ---------- Exploited in Wild
- ---------- KEV Due Date
CWE
- CWE-522: Insufficiently Protected Credentials
CAPEC
References (10)
URL | Tag | Source |
---|---|---|
http://www.openwall.com/lists/oss-security/2019/12/11/8 | Mailing List |
URL | Date | SRC |
---|---|---|
https://bugs.launchpad.net/keystone/+bug/1855080 | 2024-08-05 |
URL | Date | SRC |
---|---|---|
https://review.opendev.org/#/c/697355 | 2019-12-20 | |
https://review.opendev.org/#/c/697611 | 2019-12-20 | |
https://review.opendev.org/#/c/697731 | 2019-12-20 |
URL | Date | SRC |
---|---|---|
https://access.redhat.com/errata/RHSA-2019:4358 | 2019-12-20 | |
https://security.openstack.org/ossa/OSSA-2019-006.html | 2019-12-20 | |
https://usn.ubuntu.com/4262-1 | 2019-12-20 | |
https://access.redhat.com/security/cve/CVE-2019-19687 | 2019-12-19 | |
https://bugzilla.redhat.com/show_bug.cgi?id=1781470 | 2019-12-19 |
Affected Vendors, Products, and Versions
Vendor | Product | Version | Other | Status | ||||||
---|---|---|---|---|---|---|---|---|---|---|
Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
Openstack Search vendor "Openstack" | Keystone Search vendor "Openstack" for product "Keystone" | 15.0.0 Search vendor "Openstack" for product "Keystone" and version "15.0.0" | - |
Affected
| ||||||
Openstack Search vendor "Openstack" | Keystone Search vendor "Openstack" for product "Keystone" | 16.0.0 Search vendor "Openstack" for product "Keystone" and version "16.0.0" | - |
Affected
|