Your submission was sent successfully! Close

CVE-2014-3621

Published: 2 October 2014

The catalog url replacement in OpenStack Identity (Keystone) before 2013.2.3 and 2014.1 before 2014.1.2.1 allows remote authenticated users to read sensitive configuration options via a crafted endpoint, as demonstrated by "$(admin_token)" in the publicurl endpoint field.

Priority

Medium

Status

Package Release Status
keystone
Launchpad, Ubuntu, Debian
lucid Does not exist

precise Does not exist
(precise was needed)
trusty Does not exist
(trusty was released [1:2014.1.3-0ubuntu1])
upstream
Released (2013.2.3, 2014.1.2.1)
utopic
Released (1:2014.2~rc1-0ubuntu1)
vivid
Released (1:2014.2~rc1-0ubuntu1)
wily
Released (1:2014.2~rc1-0ubuntu1)
xenial
Released (1:2014.2~rc1-0ubuntu1)
yakkety
Released (1:2014.2~rc1-0ubuntu1)
zesty
Released (1:2014.2~rc1-0ubuntu1)

Notes

AuthorNote
jdstrand
12.04 is affected. Create test service and malicious endpoint as
per the bug, then do (assumes 'testadmin' is in the 'admin' project (use
tenant id from `keystone tenant-list|grep admin`):
curl -k -X 'POST' -v http://127.0.0.1:5000/v2.0/tokens -d '{"auth":{"passwordCredentials":{"username": "testadmin", "password":"<pass>"}, "tenantId": "<id>"}}' -H 'Content-type: application/json' | python -m json.tool

References

Bugs