<Keystone Developer Hat>This looks like a pretty severe data leak. While usually project info is not really "privileged data", this leaks the entire project structure and all associated attributes. I would develop a fix and propose backports.
<VMT Member Hat>I would likely classify this as a Class A [0] bug due to the severity of data leaking. This should be backportable to all active branches. While this is not directly exploitable (there is no escalation/inappropriate actions able to be taken) this exposes knowledge of every project in the cloud where it is clearly is not intended.
Alternatively, this could be a Class D bug since no escalation/inappropriate action can be taken (as of now) even with the entire list of projects.
I'll look for further weighing in from the Keystone-Coresec team.
Finally, if the fixes cannot be generated shortly/quickly the fact that this was accidentally released on a public paste site; it would make sense to make public so that cloud operators could modify their policy.json (or load-balancers/other device doing layer-7 inspection/routing) to block access to OS-FEDERATION auth URLs.
<Keystone Developer Hat>This looks like a pretty severe data leak. While usually project info is not really "privileged data", this leaks the entire project structure and all associated attributes. I would develop a fix and propose backports.
<VMT Member Hat>I would likely classify this as a Class A [0] bug due to the severity of data leaking. This should be backportable to all active branches. While this is not directly exploitable (there is no escalation/ inappropriate actions able to be taken) this exposes knowledge of every project in the cloud where it is clearly is not intended.
Alternatively, this could be a Class D bug since no escalation/ inappropriate action can be taken (as of now) even with the entire list of projects.
I'll look for further weighing in from the Keystone-Coresec team.
Finally, if the fixes cannot be generated shortly/quickly the fact that this was accidentally released on a public paste site; it would make sense to make public so that cloud operators could modify their policy.json (or load-balancers/ other device doing layer-7 inspection/routing) to block access to OS-FEDERATION auth URLs.
[0] https:/ /security. openstack. org/vmt- process. html#incident- report- taxonomy