Candidate: CVE-2018-14432
PublicDate: 2018-07-31 14:29:00 UTC
References:
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14432
 http://www.openwall.com/lists/oss-security/2018/07/25/2
Description:
 In the Federation component of OpenStack Keystone before 11.0.4, 12.0.0,
 and 13.0.0, an authenticated "GET /v3/OS-FEDERATION/projects" request may
 bypass intended access restrictions on listing projects. An authenticated
 user may discover projects they have no authority to access, leaking all
 projects in the deployment and their attributes. Only Keystone with the
 /v3/OS-FEDERATION endpoint enabled via policy.json is affected.
Ubuntu-Description:
Notes:
 mdeslaur> per redhat bug, not reproducible on release older than ocata
Bugs:
 https://launchpad.net/bugs/1779205
 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=904616
 https://bugzilla.redhat.com/show_bug.cgi?id=1606868
Priority: low
Discovered-by: Kristi Nikolla
Assigned-to:
CVSS:
 nvd: CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N [5.3 MEDIUM]


Patches_keystone:
upstream_keystone: released (2:13.0.0-7)
precise/esm_keystone: DNE
trusty_keystone: ignored (reached end-of-life)
trusty/esm_keystone: DNE (trusty was needs-triage)
xenial_keystone: not-affected (2:9.3.0-0ubuntu3.2)
esm-infra/xenial_keystone: not-affected (2:9.3.0-0ubuntu3.2)
bionic_keystone: not-affected (2:13.0.0-0ubuntu1)
cosmic_keystone: not-affected (2:14.0.0-0ubuntu2)
disco_keystone: not-affected (2:14.0.0-0ubuntu2)
eoan_keystone: not-affected (2:14.0.0-0ubuntu2)
focal_keystone: not-affected (2:14.0.0-0ubuntu2)
devel_keystone: not-affected (2:14.0.0-0ubuntu2)