← Back

CVE-2018-14432

nvd nist
Published: Jul 31, 2018Modified: Nov 21, 2024

JSON object

Loading...
5.3
Vector
CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N
Exploitability: 1.6 / Impact: 3.6
Source: NVD

Description

In the Federation component of OpenStack Keystone before 11.0.4, 12.0.0, and 13.0.0, an authenticated "GET /v3/OS-FEDERATION/projects" request may bypass intended access restrictions on listing projects. An authenticated user may discover projects they have no authority to access, leaking all projects in the deployment and their attributes. Only Keystone with the /v3/OS-FEDERATION endpoint enabled via policy.json is affected.

Affected (7)

Debian
1 product
Debian Linux
Redhat
1 product
Openstack
Openstack
1 product
Keystone
Configuration A
1 vulnerable
Vulnerable SoftwareAffected Versions
Debian Linux
Version 9.0
Configuration B
3 vulnerable
Vulnerable SoftwareAffected Versions
Redhat
Openstack
Version 10
Openstack
Version 12
Openstack
Version 13
Configuration C
3 vulnerable
Vulnerable SoftwareAffected Versions
Openstack
Keystone
Before 11.0.4
Keystone
Version 12.0.0
Keystone
Version 13.0.0

Related CWEs

CWE-200
Exposure of Sensitive Information to an Unauthorized Actor
The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.

References (12)

Source: cve@mitre.org
Mailing ListPatchThird Party Advisory
Source: cve@mitre.org
Third Party AdvisoryVDB Entry
Source: cve@mitre.org
Vendor Advisory
Source: cve@mitre.org
Vendor Advisory
Source: cve@mitre.org
Vendor Advisory
Source: cve@mitre.org
Third Party Advisory
Source: af854a3a-2127-422b-91ae-364da2661108
Mailing ListPatchThird Party Advisory
Source: af854a3a-2127-422b-91ae-364da2661108
Third Party AdvisoryVDB Entry
Source: af854a3a-2127-422b-91ae-364da2661108
Vendor Advisory
Source: af854a3a-2127-422b-91ae-364da2661108
Vendor Advisory
Source: af854a3a-2127-422b-91ae-364da2661108
Vendor Advisory
Source: af854a3a-2127-422b-91ae-364da2661108
Third Party Advisory

Timeline

No history available yet.