CVE-2018-14432 Information

Feb 14, 2021 cve

Description

In the Federation component of OpenStack Keystone before 11.0.4 12.0.0 and 13.0.0 an authenticated \GET /v3/OS-FEDERATION/projects\ request may bypass intended access restrictions on listing projects. An authenticated user may discover projects they have no authority to access leaking all projects in the deployment and their attributes. Only Keystone with the /v3/OS-FEDERATION endpoint enabled via policy.json is affected.

CVSS Vector

CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N

Reference

http://www.openwall.com/lists/oss-security/2018/07/25/2 http://www.securityfocus.com/bid/104930 https://access.redhat.com/errata/RHSA-2018:2523 https://access.redhat.com/errata/RHSA-2018:2533 https://access.redhat.com/errata/RHSA-2018:2543 https://www.debian.org/security/2018/dsa-4275

Attack Complexity

HIGH

Privileges Required

LOW

User Interaction Required

LOW

Scope

NONE

Confidentiality Impact

UNCHANGED

Integrity Impact

HIGH

Availability Impact

NONE

Base Score

NONE

Base Severity

5.3

Share on: