Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 664330 (CVE-2018-14432) - <sys-auth/keystone-13.0.1: Information Exposure through /v3/OS-FEDERATION/projects (CVE-2018-14432)
Summary: <sys-auth/keystone-13.0.1: Information Exposure through /v3/OS-FEDERATION/pro...
Status: RESOLVED FIXED
Alias: CVE-2018-14432
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL:
Whiteboard: B4 [noglsa cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2018-08-22 23:26 UTC by GLSAMaker/CVETool Bot
Modified: 2019-03-27 04:40 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description GLSAMaker/CVETool Bot gentoo-dev 2018-08-22 23:26:24 UTC 
CVE-2018-14432 (https://nvd.nist.gov/vuln/detail/CVE-2018-14432):
  In the Federation component of OpenStack Keystone before 11.0.4, 12.0.0, and
  13.0.0, an authenticated "GET /v3/OS-FEDERATION/projects" request may bypass
  intended access restrictions on listing projects. An authenticated user may
  discover projects they have no authority to access, leaking all projects in
  the deployment and their attributes. Only Keystone with the
  /v3/OS-FEDERATION endpoint enabled via policy.json is affected.


@ Maintainer(s): Please tell us if v13.0.1 is affected or we just need to cleanup previous version(s).
Comment 1 Matthew Thode ( prometheanfire ) archtester Gentoo Infrastructure gentoo-dev Security 2018-08-23 06:26:21 UTC 
it was cleaned, nothing in tree is exposed to this
Comment 2 Yury German Gentoo Infrastructure gentoo-dev 2019-03-27 04:40:20 UTC 
GLSA Vote: No

Arches and Maintainer(s), Thank you for your work.