Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLXhmOGMtM2NneC1mY3dt
Improper Access Control in novajoin
A flaw was discovered in the python-novajoin plugin, all versions up to, excluding 1.1.1, for Red Hat OpenStack Platform. The novajoin API lacked sufficient access control, allowing any keystone authenticated user to generate FreeIPA tokens.
Permalink: https://github.com/advisories/GHSA-xf8c-3cgx-fcwmJSON: https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLXhmOGMtM2NneC1mY3dt
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: almost 5 years ago
Updated: 4 months ago
CVSS Score: 8.8
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Percentage: 0.00098
EPSS Percentile: 0.41935
Identifiers: GHSA-xf8c-3cgx-fcwm, CVE-2019-10138
References:
- https://nvd.nist.gov/vuln/detail/CVE-2019-10138
- https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10138
- https://github.com/pypa/advisory-database/tree/main/vulns/novajoin/PYSEC-2019-192.yaml
- https://review.opendev.org/#/c/631240
- https://github.com/advisories/GHSA-xf8c-3cgx-fcwm
Affected Packages
pypi:novajoin
Dependent packages: 0Dependent repositories: 2
Downloads: 349 last month
Affected Version Ranges: <= 1.1.0
Fixed in: 1.1.1
All affected versions: 1.0.9, 1.0.10, 1.0.11, 1.0.12, 1.0.13, 1.0.14, 1.0.15, 1.0.16, 1.0.17, 1.0.18, 1.0.19, 1.0.20, 1.0.21, 1.0.22, 1.1.0
All unaffected versions: 1.1.1, 1.2.0, 1.3.0