Launchpad CVE tracker

CVE 2014-3621

The catalog url replacement in OpenStack Identity (Keystone) before 2013.2.3 and 2014.1 before 2014.1.2.1 allows remote authenticated users to read sensitive configuration options via a crafted endpoint, as demonstrated by "$(admin_token)" in the publicurl endpoint field.

Related bugs and status

CVE-2014-3621 (Candidate) is related to these bugs:

Bug #1354208: [OSSA 2014-029] Catalog replacement allows reading config (CVE-2014-3621)

		In	Importance	Status
1354208	[OSSA 2014-029] Catalog replacement allows reading config (CVE-2014-3621)	OpenStack Identity (keystone)	Medium	Fix Released
1354208	[OSSA 2014-029] Catalog replacement allows reading config (CVE-2014-3621)	OpenStack Security Advisory	Medium	Fix Released
1354208	[OSSA 2014-029] Catalog replacement allows reading config (CVE-2014-3621)	OpenStack Identity (keystone) icehouse	Medium	Fix Released
1354208	[OSSA 2014-029] Catalog replacement allows reading config (CVE-2014-3621)	OpenStack Identity (keystone) havana	Medium	Fix Released

See the

CVE page on Mitre.org for more details.

Launchpad.net

CVE 2014-3621

References