CVE-2018-14432
Published: 31 July 2018
In the Federation component of OpenStack Keystone before 11.0.4, 12.0.0, and 13.0.0, an authenticated "GET /v3/OS-FEDERATION/projects" request may bypass intended access restrictions on listing projects. An authenticated user may discover projects they have no authority to access, leaking all projects in the deployment and their attributes. Only Keystone with the /v3/OS-FEDERATION endpoint enabled via policy.json is affected.
Notes
| Author | Note |
|---|---|
| mdeslaur | per redhat bug, not reproducible on release older than ocata |
Priority
Status
| Package | Release | Status |
|---|---|---|
|
keystone Launchpad, Ubuntu, Debian |
bionic |
Not vulnerable
(2:13.0.0-0ubuntu1)
|
| cosmic |
Not vulnerable
(2:14.0.0-0ubuntu2)
|
|
| disco |
Not vulnerable
(2:14.0.0-0ubuntu2)
|
|
| eoan |
Not vulnerable
(2:14.0.0-0ubuntu2)
|
|
| focal |
Not vulnerable
(2:14.0.0-0ubuntu2)
|
|
| trusty |
Does not exist
(trusty was needs-triage)
|
|
| upstream |
Released
(2:13.0.0-7)
|
|
| xenial |
Not vulnerable
(2:9.3.0-0ubuntu3.2)
|
Severity score breakdown
| Parameter | Value |
|---|---|
| Base score | 5.3 |
| Attack vector | Network |
| Attack complexity | High |
| Privileges required | Low |
| User interaction | None |
| Scope | Unchanged |
| Confidentiality | High |
| Integrity impact | None |
| Availability impact | None |
| Vector | CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N |