Hi, the VMT are taking on padawans, myself being one of them. Please review this VMT description for accuracy and clarity.
NOTE: https://security.openstack.org/vmt-process.html#draft-impact-description states that the mitigation method should be specified, but the template (used below) does not have it. Also, I do not know the first release that introduced this bug so I included all YYYY.C releases as affected.
Title: GET /v3/OS-FEDERATION/projects leaks project information
Reporter: Kristi Nikolla
Products: Keystone
Affects: >=2011.3 <=2015.1.4, >=13.0.0 <13.0.1, >=12.0.0 <12.0.1, <11.0.4
Description:
Kristi Nikolla reported a vulnerability in Keystone federation.
By doing GET /v3/OS-FEDERATION/domains an actor may read project
access control data resulting in a leaks a projects full structure
along with all associated attributes.
Only Keystone with federation enabled is affected.
Hi, the VMT are taking on padawans, myself being one of them. Please review this VMT description for accuracy and clarity.
NOTE: https:/ /security. openstack. org/vmt- process. html#draft- impact- description states that the mitigation method should be specified, but the template (used below) does not have it. Also, I do not know the first release that introduced this bug so I included all YYYY.C releases as affected.
Title: GET /v3/OS- FEDERATION/ projects leaks project information
Reporter: Kristi Nikolla
Products: Keystone
Affects: >=2011.3 <=2015.1.4, >=13.0.0 <13.0.1, >=12.0.0 <12.0.1, <11.0.4
Description: FEDERATION/ domains an actor may read project
Kristi Nikolla reported a vulnerability in Keystone federation.
By doing GET /v3/OS-
access control data resulting in a leaks a projects full structure
along with all associated attributes.
Only Keystone with federation enabled is affected.