Описание
In the Federation component of OpenStack Keystone before 11.0.4, 12.0.0, and 13.0.0, an authenticated "GET /v3/OS-FEDERATION/projects" request may bypass intended access restrictions on listing projects. An authenticated user may discover projects they have no authority to access, leaking all projects in the deployment and their attributes. Only Keystone with the /v3/OS-FEDERATION endpoint enabled via policy.json is affected.
A flaw was found in Keystone federation. By doing GET /v3/OS-FEDERATION/projects an authenticated user may discover projects they have no authority to access, leaking all projects in the deployment and their attributes. Only Keystone with the /v3/OS-FEDERATION endpoint enabled via policy.json is affected.
Отчет
Red Hat Quay does not include the vulnerable keystone/federation/controllers.py file fixed in [1] [1] https://review.opendev.org/c/openstack/keystone/+/585782/
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat Enterprise Linux OpenStack Platform 7 (Kilo) | openstack-keystone | Not affected | ||
| Red Hat Fuse 7 | openstack-keystone | Not affected | ||
| Red Hat JBoss Fuse 6 | openstack-keystone | Not affected | ||
| Red Hat OpenStack Platform 14 (Rocky) | openstack-keystone | Not affected | ||
| Red Hat OpenStack Platform 8 (Liberty) | openstack-keystone | Not affected | ||
| Red Hat OpenStack Platform 9 (Mitaka) | openstack-keystone | Not affected | ||
| Red Hat Quay 3 | quay/quay-rhel8 | Not affected | ||
| Red Hat OpenStack Platform 10.0 (Newton) | openstack-keystone | Fixed | RHSA-2018:2543 | 22.08.2018 |
| Red Hat OpenStack Platform 12.0 (Pike) | openstack-keystone | Fixed | RHSA-2018:2523 | 20.08.2018 |
| Red Hat OpenStack Platform 13.0 (Queens) | openstack-keystone | Fixed | RHSA-2018:2533 | 21.08.2018 |
Показывать по
Дополнительная информация
Статус:
5.3 Medium
CVSS3
Связанные уязвимости
In the Federation component of OpenStack Keystone before 11.0.4, 12.0.0, and 13.0.0, an authenticated "GET /v3/OS-FEDERATION/projects" request may bypass intended access restrictions on listing projects. An authenticated user may discover projects they have no authority to access, leaking all projects in the deployment and their attributes. Only Keystone with the /v3/OS-FEDERATION endpoint enabled via policy.json is affected.
In the Federation component of OpenStack Keystone before 11.0.4, 12.0.0, and 13.0.0, an authenticated "GET /v3/OS-FEDERATION/projects" request may bypass intended access restrictions on listing projects. An authenticated user may discover projects they have no authority to access, leaking all projects in the deployment and their attributes. Only Keystone with the /v3/OS-FEDERATION endpoint enabled via policy.json is affected.
In the Federation component of OpenStack Keystone before 11.0.4, 12.0. ...
In the Federation component of OpenStack Keystone before 11.0.4, 12.0.0, and 13.0.0, an authenticated "GET /v3/OS-FEDERATION/projects" request may bypass intended access restrictions on listing projects. An authenticated user may discover projects they have no authority to access, leaking all projects in the deployment and their attributes. Only Keystone with the /v3/OS-FEDERATION endpoint enabled via policy.json is affected.
5.3 Medium
CVSS3