Ecosyste.ms: Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

Security Advisories: GSA_kwCzR0hTQS0yajIzLWZ3cW0tbWd3cs4AAi4u

OpenStack Keystone Credential Leakage

OpenStack Keystone 15.0.0 and 16.0.0 is affected by Data Leakage in the list credentials API. Any user with a role on a project is able to list any credentials with the /v3/credentials API when enforce_scope is false. Users with a role on a project are able to view any other users' credentials, which could (for example) leak sign-on information for Time-based One Time Passwords (TOTP). Deployments with enforce_scope set to false are affected. (There will be a slight performance impact for the list credentials API once this issue is fixed.)

Permalink: https://github.com/advisories/GHSA-2j23-fwqm-mgwr
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS0yajIzLWZ3cW0tbWd3cs4AAi4u
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: almost 2 years ago
Updated: 7 months ago

CVSS Score: 8.8
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Identifiers: GHSA-2j23-fwqm-mgwr, CVE-2019-19687
References:

Repository: https://github.com/openstack/keystone
Blast Radius: 13.8

Affected Packages

pypi:keystone

Dependent packages: 3
Dependent repositories: 37
Downloads: 5,716 last month
Affected Version Ranges: = 16.0.0, = 15.0.0
Fixed in: 16.0.1, 15.0.1
All affected versions: 15.0.0, 16.0.0
All unaffected versions: 12.0.2, 12.0.3, 13.0.2, 13.0.3, 13.0.4, 14.0.0, 14.0.1, 14.1.0, 14.2.0, 15.0.1, 16.0.1, 16.0.2, 17.0.0, 17.0.1, 18.0.0, 18.1.0, 19.0.0, 19.0.1, 20.0.0, 20.0.1, 21.0.0, 21.0.1, 22.0.0, 22.0.1, 22.0.2, 23.0.0, 23.0.1, 24.0.0, 25.0.0