oss-sec mailing list archives
[OSSA 2014-029] Configuration option leak through Keystone catalog (CVE-2014-3621)
From: Tristan Cacqueray <tristan.cacqueray () enovance com>
Date: Tue, 16 Sep 2014 15:31:47 -0400
OpenStack Security Advisory: 2014-029 CVE: CVE-2014-3621 Date: September 16, 2014 Title: Configuration option leak through Keystone catalog Reporter: Brant Knudson (IBM) Products: Keystone Versions: up to 2013.2.3 and 2014.1 versions up to 2014.1.2.1 Description: Brant Knudson from IBM reported a vulnerability in Keystone catalog url replacement. By creating a malicious endpoint a privileged user may reveal configuration options resulting in sensitive information, like master admin_token, being exposed through the service url. All Keystone setups that allow non-admin users to create endpoints are affected. Juno (development branch) fix: https://review.openstack.org/121889 Icehouse fix: https://review.openstack.org/121890 Havana fix: https://review.openstack.org/121891 Notes: This fix will be included in the Juno release 2014.2.0 and in future stable 2013.2.4 and 2014.1.3 releases. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3621 https://launchpad.net/bugs/1354208 -- Tristan Cacqueray OpenStack Vulnerability Management Team
Attachment:
signature.asc
Description: OpenPGP digital signature
Current thread:
- [OSSA 2014-029] Configuration option leak through Keystone catalog (CVE-2014-3621) Tristan Cacqueray (Sep 16)