Описание
In the Federation component of OpenStack Keystone before 11.0.4, 12.0.0, and 13.0.0, an authenticated "GET /v3/OS-FEDERATION/projects" request may bypass intended access restrictions on listing projects. An authenticated user may discover projects they have no authority to access, leaking all projects in the deployment and their attributes. Only Keystone with the /v3/OS-FEDERATION endpoint enabled via policy.json is affected.
| Релиз | Статус | Примечание |
|---|---|---|
| bionic | not-affected | 2:13.0.0-0ubuntu1 |
| cosmic | not-affected | 2:14.0.0-0ubuntu2 |
| devel | not-affected | 2:14.0.0-0ubuntu2 |
| disco | not-affected | 2:14.0.0-0ubuntu2 |
| eoan | not-affected | 2:14.0.0-0ubuntu2 |
| esm-infra-legacy/trusty | DNE | trusty/esm was DNE [trusty was needs-triage] |
| esm-infra/bionic | not-affected | 2:13.0.0-0ubuntu1 |
| esm-infra/focal | not-affected | 2:14.0.0-0ubuntu2 |
| esm-infra/xenial | not-affected | 2:9.3.0-0ubuntu3.2 |
| focal | not-affected | 2:14.0.0-0ubuntu2 |
Показывать по
EPSS
3.5 Low
CVSS2
5.3 Medium
CVSS3
Связанные уязвимости
In the Federation component of OpenStack Keystone before 11.0.4, 12.0.0, and 13.0.0, an authenticated "GET /v3/OS-FEDERATION/projects" request may bypass intended access restrictions on listing projects. An authenticated user may discover projects they have no authority to access, leaking all projects in the deployment and their attributes. Only Keystone with the /v3/OS-FEDERATION endpoint enabled via policy.json is affected.
In the Federation component of OpenStack Keystone before 11.0.4, 12.0.0, and 13.0.0, an authenticated "GET /v3/OS-FEDERATION/projects" request may bypass intended access restrictions on listing projects. An authenticated user may discover projects they have no authority to access, leaking all projects in the deployment and their attributes. Only Keystone with the /v3/OS-FEDERATION endpoint enabled via policy.json is affected.
In the Federation component of OpenStack Keystone before 11.0.4, 12.0. ...
In the Federation component of OpenStack Keystone before 11.0.4, 12.0.0, and 13.0.0, an authenticated "GET /v3/OS-FEDERATION/projects" request may bypass intended access restrictions on listing projects. An authenticated user may discover projects they have no authority to access, leaking all projects in the deployment and their attributes. Only Keystone with the /v3/OS-FEDERATION endpoint enabled via policy.json is affected.
EPSS
3.5 Low
CVSS2
5.3 Medium
CVSS3