Title: GET /v3/OS-FEDERATION/projects leaks project information
Reporter: Kristi Nikolla with Boston University
Products: Keystone
Affects: <11.0.4, ==13.0.0, ==12.0.0
Description:
Kristi Nikolla with Boston University reported a vulnerability
in Keystone federation. By doing GET /v3/OS-FEDERATION/projects
an authenticated user may discover projects they have no
authority to access, leaking all projects in the deployment and
their attributes.
Only Keystone with the /v3/OS-FEDERATION endpoint enabled via
policy.json is affected.
Please review this VMT description for accuracy and clarity.
NOTE: https:/ /security. openstack. org/vmt- process. html#draft- impact- description states that the mitigation method should be specified, but the template (used below) does not have it.
Title: GET /v3/OS- FEDERATION/ projects leaks project information
Reporter: Kristi Nikolla with Boston University
Products: Keystone
Affects: <11.0.4, ==13.0.0, ==12.0.0
Description: FEDERATION/ projects
Kristi Nikolla with Boston University reported a vulnerability
in Keystone federation. By doing GET /v3/OS-
an authenticated user may discover projects they have no
authority to access, leaking all projects in the deployment and
their attributes.
Only Keystone with the /v3/OS-FEDERATION endpoint enabled via
policy.json is affected.