SB2019120917 - Insufficiently protected credentials in OpenStack Keystone
Published: December 9, 2019 Updated: December 20, 2019
Security Bulletin ID
SB2019120917
Severity
High
Patch available
YES
Number of vulnerabilities
1
Exploitation vector
Remote access
Highest impact
Data manipulation
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 1 security vulnerability.
1) Insufficiently protected credentials (CVE-ID: CVE-2019-19687)
The vulnerability allows a remote attacker to list any credentials.
The vulnerability exists due to data leakage in the list credentials API. A remote user with a role on a project can list any credentials with the "/v3/credentials" API when "enforce_scope" is false.
Remediation
Install update from vendor's website.
References
- http://www.openwall.com/lists/oss-security/2019/12/11/8
- https://access.redhat.com/errata/RHSA-2019:4358
- https://bugs.launchpad.net/keystone/+bug/1855080
- https://review.opendev.org/#/c/697355/
- https://review.opendev.org/#/c/697611/
- https://review.opendev.org/#/c/697731/
- https://security.openstack.org/ossa/OSSA-2019-006.html