Browse Source

Merge "Add OSSA-2018-002, CVE-2018-14432 for publishing"

Zuul 8 months ago
parent
commit
51e04ea771
1 changed files with 41 additions and 0 deletions
  1. 41
    0
      ossa/OSSA-2018-002.yaml

+ 41
- 0
ossa/OSSA-2018-002.yaml View File

@@ -0,0 +1,41 @@
1
+date: 2018-07-25
2
+
3
+id: OSSA-2018-002
4
+
5
+title: GET /v3/OS-FEDERATION/projects leaks project information
6
+
7
+description: >
8
+  Kristi Nikolla with Boston University reported a vulnerability
9
+  in Keystone federation. By doing GET /v3/OS-FEDERATION/projects
10
+  an authenticated user may discover projects they have no
11
+  authority to access, leaking all projects in the deployment and
12
+  their attributes.
13
+  Only Keystone with the /v3/OS-FEDERATION endpoint enabled via
14
+  policy.json is affected.
15
+
16
+affected-products:
17
+  - product: keystone
18
+    version: '<11.0.4, ==12.0.0, ==13.0.0'
19
+
20
+vulnerabilities:
21
+  - cve-id: CVE-2018-14432
22
+
23
+reporters:
24
+  - name: Kristi Nikolla
25
+    affiliation: Boston University
26
+    reported:
27
+      - CVE-2018-14432
28
+
29
+issues:
30
+  links:
31
+    - https://launchpad.net/bugs/1779205
32
+
33
+reviews:
34
+  rocky:
35
+    - https://review.openstack.org/585782
36
+  queens:
37
+    - https://review.openstack.org/585788
38
+  pike:
39
+    - https://review.openstack.org/585792
40
+  ocata:
41
+    - https://review.openstack.org/585802

Loading…
Cancel
Save