CVE-2019-19687

CWE-522Insufficiently Protected Credentials10 documents8 sources
Severity
8.8HIGH
EPSS
0.7%
top 27.38%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
Openstack Keystone
Timeline
PublishedDec 9
Latest updateMay 24

Description

OpenStack Keystone 15.0.0 and 16.0.0 is affected by Data Leakage in the list credentials API. Any user with a role on a project is able to list any credentials with the /v3/credentials API when enforce_scope is false. Users with a role on a project are able to view any other users' credentials, which could (for example) leak sign-on information for Time-based One Time Passwords (TOTP). Deployments with enforce_scope set to false are affected. (There will be a slight performance impact for the li

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 2.8 | Impact: 5.9

Affected Packages3 packages

NVDopenstack/keystone15.0.0, 16.0.0+1
PyPIkeystone15.0.015.0.1+1
Debiankeystone< 2:16.0.0-5+3

Patches

Patch: review.opendev.orgPatch: review.opendev.orgPatch: review.opendev.org

🔴Vulnerability Details

4
GHSA
OpenStack Keystone Credential Leakage2022-05-24
OSV
OpenStack Keystone Credential Leakage2022-05-24
CVEList
CVE-2019-19687: OpenStack Keystone 152019-12-09
OSV
CVE-2019-19687: OpenStack Keystone 152019-12-09

📋Vendor Advisories

3
Ubuntu
OpenStack Keystone vulnerability2020-01-30
Red Hat
openstack-keystone: Credentials API allows non-admin to list and retrieve all users credentials2019-12-04
Debian
CVE-2019-19687: keystone - OpenStack Keystone 15.0.0 and 16.0.0 is affected by Data Leakage in the list cre...2019

💬Community

2
Bugzilla
CVE-2019-19687 openstack-keystone: Credentials API allows non-admin to list and retrieve all users credentials [openstack-rdo]2019-12-12
Bugzilla
CVE-2019-19687 openstack-keystone: Credentials API allows non-admin to list and retrieve all users credentials2019-12-10
CVE-2019-19687 (HIGH CVSS 8.8) | OpenStack Keystone 15.0.0 and 16.0. | cvebase.io