MEDIUM

GHSA-8v8f-vc72-pmhc

OpenStack Identity Keystone Exposure of Sensitive Information

Details

The catalog url replacement in OpenStack Identity (Keystone) before 2013.2.3 and 2014.1 before 2014.1.2.1 allows remote authenticated users to read sensitive configuration options via a crafted endpoint, as demonstrated by "$(admin_token)" in the publicurl endpoint field.

Are you affected?

Enter the version of the package you're using.

Affected packages

PyPI / keystone

Introduced in: 0 Fixed in: 8.0.0a0

Fix pip install --upgrade 'keystone>=8.0.0a0'

References

https://nvd.nist.gov/vuln/detail/CVE-2014-3621 [ADVISORY]
https://github.com/openstack/keystone/commit/2989ff257e4fde6a168e25b926805e700406aa80 [WEB]
https://github.com/openstack/keystone/commit/52714633c9a4dae5e60279217090859aa6dbcb4f [WEB]
https://access.redhat.com/errata/RHSA-2014:1688 [WEB]
https://access.redhat.com/errata/RHSA-2014:1789 [WEB]
https://access.redhat.com/errata/RHSA-2014:1790 [WEB]
https://access.redhat.com/security/cve/CVE-2014-3621 [WEB]
https://bugs.launchpad.net/keystone/+bug/1354208 [WEB]
https://bugzilla.redhat.com/show_bug.cgi?id=1139937 [WEB]
http://rhn.redhat.com/errata/RHSA-2014-1688.html [WEB]
http://rhn.redhat.com/errata/RHSA-2014-1789.html [WEB]
http://rhn.redhat.com/errata/RHSA-2014-1790.html [WEB]
http://www.openwall.com/lists/oss-security/2014/09/16/10 [WEB]
http://www.ubuntu.com/usn/USN-2406-1 [WEB]