CVE-2018-14432: Infoleak
First published: Fri Jul 20 2018(Updated: )
A flaw was found in Keystone federation. By doing GET /v3/OS-FEDERATION/projects an authenticated user may discover projects they have no authority to access, leaking all projects in the deployment and their attributes. Only Keystone with the /v3/OS-FEDERATION endpoint enabled via policy.json is affected.
Credit: cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Debian Debian Linux | =9.0 | |
| Redhat Openstack | =10 | |
| Redhat Openstack | =12 | |
| Redhat Openstack | =13 | |
| OpenStack Keystone | <11.0.4 | |
| OpenStack Keystone | =12.0.0 | |
| OpenStack Keystone | =13.0.0 | |
| debian/keystone | 2:14.2.0-0+deb10u1 2:18.0.0-3+deb11u1 2:22.0.0-2 2:24.0.0-1 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://security-tracker.debian.org/tracker/CVE-2018-14432
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14432
- http://www.openwall.com/lists/oss-security/2018/07/25/2
- https://salsa.debian.org/openstack-team/services/keystone/commit/83ae87061a0a40a208431a57d3518c8ad33a35da
- https://bugs.debian.org/904616
- https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=904616
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1608595
- https://access.redhat.com/errata/RHSA-2018:2523
- https://access.redhat.com/errata/RHSA-2018:2533
- https://access.redhat.com/errata/RHSA-2018:2543
- https://review.opendev.org/c/openstack/keystone/+/585782/
- https://bugzilla.redhat.com/show_bug.cgi?id=1606868
- http://www.securityfocus.com/bid/104930
- https://www.debian.org/security/2018/dsa-4275
- https://www.openwall.com/lists/oss-security/2018/07/25/2
- https://bugs.launchpad.net/keystone/+bug/1779205
Frequently Asked Questions
What is CVE-2018-14432?
CVE-2018-14432 is a vulnerability in the Federation component of OpenStack Keystone that allows an authenticated user to bypass access restrictions and discover projects they have no authority to access.
What is the severity of CVE-2018-14432?
The severity of CVE-2018-14432 is high with a CVSS score of 5.3.
How does CVE-2018-14432 impact OpenStack Keystone?
CVE-2018-14432 allows an authenticated user to leak project information that they shouldn't have access to in OpenStack Keystone.
Are there any known fixes for CVE-2018-14432?
Yes, there are known fixes for CVE-2018-14432. Please refer to the official references for remediation steps.
Where can I find more information about CVE-2018-14432?
You can find more information about CVE-2018-14432 in the official references provided.
- collector/debian-bugs
- alias/CVE-2018-14432
- collector/nvd-index
- collector/security-tracker-debian
- agent/weakness
- agent/author
- agent/severity
- agent/references
- agent/type
- agent/description
- agent/event
- agent/softwarecombine
- agent/first-publish-date
- agent/last-modified-date
- agent/remedy
- agent/tags
- collector/redhat-bugzilla
- source/Red Hat
- collector/mitre-cve
- source/MITRE
- vendor/debian
- canonical/debian debian linux
- version/debian debian linux/9.0
- vendor/redhat
- canonical/redhat openstack
- version/redhat openstack/10
- version/redhat openstack/12
- version/redhat openstack/13
- vendor/openstack
- canonical/openstack keystone
- version/openstack keystone/12.0.0
- version/openstack keystone/13.0.0
- package-manager/debian