Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

nvd логотип

CVE-2019-19687

Опубликовано: 09 дек. 2019
Источник: nvd
CVSS3: 8.8
CVSS2: 3.5
EPSS Низкий

Описание

OpenStack Keystone 15.0.0 and 16.0.0 is affected by Data Leakage in the list credentials API. Any user with a role on a project is able to list any credentials with the /v3/credentials API when enforce_scope is false. Users with a role on a project are able to view any other users' credentials, which could (for example) leak sign-on information for Time-based One Time Passwords (TOTP). Deployments with enforce_scope set to false are affected. (There will be a slight performance impact for the list credentials API once this issue is fixed.)

Ссылки

Уязвимые конфигурации

Конфигурация 1

Одно из

cpe:2.3:a:openstack:keystone:15.0.0:*:*:*:*:*:*:*
cpe:2.3:a:openstack:keystone:16.0.0:*:*:*:*:*:*:*

EPSS

Процентиль: 73%
0.00766
Низкий

8.8 High

CVSS3

3.5 Low

CVSS2

Дефекты

CWE-522

Связанные уязвимости

ubuntu логотип

CVE-2019-19687

CVSS3: 8.8
ubuntu
около 6 лет назад

OpenStack Keystone 15.0.0 and 16.0.0 is affected by Data Leakage in the list credentials API. Any user with a role on a project is able to list any credentials with the /v3/credentials API when enforce_scope is false. Users with a role on a project are able to view any other users' credentials, which could (for example) leak sign-on information for Time-based One Time Passwords (TOTP). Deployments with enforce_scope set to false are affected. (There will be a slight performance impact for the list credentials API once this issue is fixed.)

redhat логотип

CVE-2019-19687

CVSS3: 8.1
redhat
около 6 лет назад

OpenStack Keystone 15.0.0 and 16.0.0 is affected by Data Leakage in the list credentials API. Any user with a role on a project is able to list any credentials with the /v3/credentials API when enforce_scope is false. Users with a role on a project are able to view any other users' credentials, which could (for example) leak sign-on information for Time-based One Time Passwords (TOTP). Deployments with enforce_scope set to false are affected. (There will be a slight performance impact for the list credentials API once this issue is fixed.)

debian логотип

CVE-2019-19687

CVSS3: 8.8
debian
около 6 лет назад

OpenStack Keystone 15.0.0 and 16.0.0 is affected by Data Leakage in th ...

github логотип

GHSA-2j23-fwqm-mgwr

CVSS3: 8.8
github
больше 3 лет назад

OpenStack Keystone Credential Leakage

EPSS

Процентиль: 73%
0.00766
Низкий

8.8 High

CVSS3

3.5 Low

CVSS2

Дефекты

CWE-522