CVE-2014-3621

CWE-200 — Information Exposure10 documents8 sources

Severity

4.0MEDIUM

EPSS

0.4%

top 37.72%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Openstack Keystone Canonical Ubuntu Linux Redhat Openstack

Timeline

PublishedOct 2

Latest updateMay 13

Description

The catalog url replacement in OpenStack Identity (Keystone) before 2013.2.3 and 2014.1 before 2014.1.2.1 allows remote authenticated users to read sensitive configuration options via a crafted endpoint, as demonstrated by "$(admin_token)" in the publicurl endpoint field.

CVSS vector

AV:N/AC:L/C:P/I:N/A:NExploitability: 8.0 | Impact: 2.9

Affected Packages4 packages

▶NVDopenstack/keystone2013.2 — 2013.2.3+1

▶PyPIkeystone< 8.0.0a0

▶Debiankeystone< 2014.1.3-1+3

▶NVDredhat/openstack4.0, 5.0+1

Also affects: Ubuntu Linux 14.04

Patches

Patch: www.openwall.com ↗Patch: www.openwall.com ↗

🔴Vulnerability Details

OSV

OpenStack Identity Keystone Exposure of Sensitive Information↗2022-05-13

▶

GHSA

OpenStack Identity Keystone Exposure of Sensitive Information↗2022-05-13

▶

OSV

CVE-2014-3621: The catalog url replacement in OpenStack Identity (Keystone) before 2013↗2014-10-02

▶

CVEList

CVE-2014-3621: The catalog url replacement in OpenStack Identity (Keystone) before 2013↗2014-10-02

▶

📋Vendor Advisories

Ubuntu

OpenStack Keystone vulnerability↗2014-11-11

▶

Red Hat

openstack-keystone: configuration data information leak through Keystone catalog↗2014-09-16

▶

Debian

CVE-2014-3621: keystone - The catalog url replacement in OpenStack Identity (Keystone) before 2013.2.3 and...↗2014

▶

💬Community

Bugzilla

CVE-2014-3621 openstack-keystone: configuration data information leak through Keystone catalog [fedora-all]↗2014-09-17

▶

Bugzilla

CVE-2014-3621 openstack-keystone: configuration data information leak through Keystone catalog↗2014-09-10

▶