CVE-2019-19687
published 2019-12-09CVE-2019-19687: OpenStack Keystone 15.0.0 and 16.0.0 is affected by Data Leakage in the list credentials API. Any user with a role on a project is able to list any credentials…
high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
OpenStack Keystone 15.0.0 and 16.0.0 is affected by Data Leakage in the list credentials API. Any user with a role on a project is able to list any credentials with the /v3/credentials API when enforce_scope is false. Users with a role on a project are able to view any other users' credentials, which could (for example) leak sign-on information for Time-based One Time Passwords (TOTP). Deployments with enforce_scope set to false are affected. (There will be a slight performance impact for the list credentials API once this issue is fixed.)
Affected
9 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | keystone | < keystone 2:16.0.0-5 (bookworm) | keystone 2:16.0.0-5 (bookworm) |
| openstack | keystone | — | — |
| openstack | keystone | — | — |
| openstack | keystone | >= 0 < 2:16.0.0-5 | 2:16.0.0-5 |
| openstack | keystone | >= 0 < 2:16.0.0-5 | 2:16.0.0-5 |
| openstack | keystone | >= 0 < 2:16.0.0-5 | 2:16.0.0-5 |
| openstack | keystone | >= 0 < 2:16.0.0-5 | 2:16.0.0-5 |
| openstack | keystone | >= 15.0.0 < 15.0.1 | 15.0.1 |
| openstack | keystone | >= 16.0.0 < 16.0.1 | 16.0.1 |
CVSS provenance
nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
osv8.8HIGH