CVE Vulnerability

CVE-2018-14432

In the Federation component of OpenStack Keystone before 11.0.4, 12.0.0, and 13.0.0, an authenticated "GET /v3/OS-FEDERATION/projects" request may bypass intended access restrictions on listing projects. An authenticated user may discover projects they have no authority to access, leaking all projects in the deployment and their attributes. Only Keystone with the /v3/OS-FEDERATION endpoint enabled via policy.json is affected.

3.5 /10

CVSS v2.0 :

V3 Legend

Vector :

Exploitability : 6.8 / Impact : 2.9

Attack Vector

Attack Complexity

Privileges Required

User Interaction

Confidentiality Impact PARTIAL

Integrity Impact NONE

Availability Impact NONE

Scope

5.3 /10

CVSS v3.0 : MEDIUM

V3 Legend

Vector :

Exploitability : 1.6 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity HIGH

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References
Link Resource
http://www.openwall.com/lists/oss-security/2018/07/25/2 Mailing List Patch
http://www.securityfocus.com/bid/104930 Third Party Advisory VDB Entry
https://www.debian.org/security/2018/dsa-4275 Third Party Advisory
https://access.redhat.com/errata/RHSA-2018:2523 Vendor Advisory
https://access.redhat.com/errata/RHSA-2018:2533 Vendor Advisory
https://access.redhat.com/errata/RHSA-2018:2543 Vendor Advisory
Configurations

Configuration 1

cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*
cpe:2.3:a:redhat:openstack:10:*:*:*:*:*:*:*
cpe:2.3:a:redhat:openstack:12:*:*:*:*:*:*:*
cpe:2.3:a:redhat:openstack:13:*:*:*:*:*:*:*
cpe:2.3:a:openstack:keystone:*:*:*:*:*:*:*:*
cpe:2.3:a:openstack:keystone:12.0.0:*:*:*:*:*:*:*
cpe:2.3:a:openstack:keystone:13.0.0:*:*:*:*:*:*:*
Information

Published : 2018-07-31 02:29

Updated : 2021-08-04 05:15

NVD link : CVE-2018-14432

Mitre link : CVE-2018-14432

Products Affected
No products.
CWE
CWE-200