First published: Wed Sep 10 2014(Updated: )
The catalog url replacement in OpenStack Identity (Keystone) before 2013.2.3 and 2014.1 before 2014.1.2.1 allows remote authenticated users to read sensitive configuration options via a crafted endpoint, as demonstrated by "$(admin_token)" in the publicurl endpoint field.
Credit: secalert@redhat.com secalert@redhat.com
Affected Software | Affected Version | How to fix |
---|---|---|
OpenStack Keystone | >=2013.2<2013.2.3 | |
OpenStack Keystone | >=2014.1<2014.1.2.1 | |
Canonical Ubuntu Linux | =14.04 | |
Redhat Openstack | =5.0 | |
Redhat Enterprise Linux | =6.0 | |
Redhat Enterprise Linux | =7.0 | |
Redhat Openstack | =4.0 | |
pip/keystone | <8.0.0a0 | 8.0.0a0 |
All of | ||
Redhat Openstack | =5.0 | |
Any of | ||
Redhat Enterprise Linux | =6.0 | |
Redhat Enterprise Linux | =7.0 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.