Launchpad.net

CVE 2018-14432

In the Federation component of OpenStack Keystone before 11.0.4, 12.0.0, and 13.0.0, an authenticated "GET /v3/OS-FEDERATION/projects" request may bypass intended access restrictions on listing projects. An authenticated user may discover projects they have no authority to access, leaking all projects in the deployment and their attributes. Only Keystone with the /v3/OS-FEDERATION endpoint enabled via policy.json is affected.

Related bugs and status

CVE-2018-14432 (Candidate) is related to these bugs:

Bug #1779205: [OSSA-2018-002] GET /v3/OS-FEDERATION/projects leaks project information (CVE-2018-14432)

		In	Importance	Status
1779205	[OSSA-2018-002] GET /v3/OS-FEDERATION/projects leaks project information (CVE-2018-14432)	OpenStack Identity (keystone)	Critical	Fix Released
1779205	[OSSA-2018-002] GET /v3/OS-FEDERATION/projects leaks project information (CVE-2018-14432)	OpenStack Security Advisory	Undecided	Fix Released
1779205	[OSSA-2018-002] GET /v3/OS-FEDERATION/projects leaks project information (CVE-2018-14432)	OpenStack Identity (keystone) ocata	Critical	Fix Released
1779205	[OSSA-2018-002] GET /v3/OS-FEDERATION/projects leaks project information (CVE-2018-14432)	OpenStack Identity (keystone) queens	Critical	Fix Released
1779205	[OSSA-2018-002] GET /v3/OS-FEDERATION/projects leaks project information (CVE-2018-14432)	OpenStack Identity (keystone) rocky	Critical	Fix Released
1779205	[OSSA-2018-002] GET /v3/OS-FEDERATION/projects leaks project information (CVE-2018-14432)	OpenStack Identity (keystone) pike	Critical	Fix Released

See the

CVE page on Mitre.org for more details.

References

MLIST: [oss-security] 2018072...
BID: 104930
DEBIAN: DSA-4275
REDHAT: RHSA-2018:2523
REDHAT: RHSA-2018:2533
REDHAT: RHSA-2018:2543