CVE-2019-19687

openstack-keystone: Credentials API allows non-admin to list and retrieve all users credentials

Severity Score

8.8

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

OpenStack Keystone 15.0.0 and 16.0.0 is affected by Data Leakage in the list credentials API. Any user with a role on a project is able to list any credentials with the /v3/credentials API when enforce_scope is false. Users with a role on a project are able to view any other users' credentials, which could (for example) leak sign-on information for Time-based One Time Passwords (TOTP). Deployments with enforce_scope set to false are affected. (There will be a slight performance impact for the list credentials API once this issue is fixed.)

OpenStack Keystone versiones 15.0.0 y 16.0.0, está afectado por un Filtrado de Datos en la API de credenciales de lista. Cualquier usuario con un rol en un proyecto es capaz de enumerar cualquier credencial con la API de /v3/credentials cuando la función enforce_scope es falsa. Los usuarios con un rol en un proyecto pueden visualizar las credenciales de cualquier otro usuario, lo que podría (por ejemplo) filtrar información de inicio de sesión de Time-based One Time Passwords (TOTP). Las implementaciones con la función enforce_scope establecida en false están afectadas. (Habrá un ligero impacto en el rendimiento de la API de credenciales de lista una vez que este problema sea corregido).

A disclosure vulnerability was found in openstack-keystone's credentials API. Users with a project role are able to list any credentials with the /v3/credentials API when enforce_scope is false. Information for time-based one time passwords (TOTP) may also be disclosed. Deployments running keystone with enforce_scope set to false are also affected. There will be a slight performance impact for the list credentials API once this issue is fixed.

*Credits: N/A

CVSS Scores

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

None

Attack Vector

Network

Attack Complexity

Medium

Authentication

Single

Confidentiality

Partial

Integrity

None

Availability

None

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2019-12-09 CVE Reserved
2019-12-09 CVE Published
2024-04-03 EPSS Updated
2024-08-05 CVE Updated
2024-08-05 First Exploit
---------- Exploited in Wild
---------- KEV Due Date

CWE

CWE-522: Insufficiently Protected Credentials

CAPEC

References (10)

URL	Tag	Source
http://www.openwall.com/lists/oss-security/2019/12/11/8	Mailing List

URL	Date	SRC
https://bugs.launchpad.net/keystone/+bug/1855080	2024-08-05

URL	Date	SRC
https://review.opendev.org/#/c/697355	2019-12-20
https://review.opendev.org/#/c/697611	2019-12-20
https://review.opendev.org/#/c/697731	2019-12-20

URL	Date	SRC
https://access.redhat.com/errata/RHSA-2019:4358	2019-12-20
https://security.openstack.org/ossa/OSSA-2019-006.html	2019-12-20
https://usn.ubuntu.com/4262-1	2019-12-20
https://access.redhat.com/security/cve/CVE-2019-19687	2019-12-19
https://bugzilla.redhat.com/show_bug.cgi?id=1781470	2019-12-19

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Openstack Search vendor "Openstack"		Keystone Search vendor "Openstack" for product "Keystone"				15.0.0 Search vendor "Openstack" for product "Keystone" and version "15.0.0"		-		Affected
Openstack Search vendor "Openstack"		Keystone Search vendor "Openstack" for product "Keystone"				16.0.0 Search vendor "Openstack" for product "Keystone" and version "16.0.0"		-		Affected