CVE-2018-14432

Sažetak

In the Federation component of OpenStack Keystone before 11.0.4, 12.0.0, and 13.0.0, an authenticated "GET /v3/OS-FEDERATION/projects" request may bypass intended access restrictions on listing projects. An authenticated user may discover projects they have no authority to access, leaking all projects in the deployment and their attributes. Only Keystone with the /v3/OS-FEDERATION endpoint enabled via policy.json is affected.

Reference

http://www.openwall.com/lists/oss-security/2018/07/25/2
http://www.securityfocus.com/bid/104930
https://www.debian.org/security/2018/dsa-4275
https://access.redhat.com/errata/RHSA-2018:2523
https://access.redhat.com/errata/RHSA-2018:2533
https://access.redhat.com/errata/RHSA-2018:2543

CVSS

Base:	3.5
Impact:	2.9
Exploitability:	6.8

Pristup

Vektor	Složenost	Autentikacija
NETWORK	MEDIUM	SINGLE

Impact

Povjerljivost	Cjelovitost	Dostupnost
PARTIAL	NONE	NONE

CVSS vektor

AV:N/AC:M/Au:S/C:P/I:N/A:N

Zadnje važnije ažuriranje

04-08-2021 - 17:15

Objavljeno

31-07-2018 - 14:29