Description part in http://seclists.org/oss-sec/2018/q3/59 says that - "Only Keystone with the /v3/OS-FEDERATION endpoint enabled via policy.json is affected". We are not using federation in our product & neither is there any mention of this api in our keystone's policy.json, but still we see that any user with a token is able to run GET /v3/OS-FEDERATION/projects & gets all projects in response.
Description part in http:// seclists. org/oss- sec/2018/ q3/59 says that - "Only Keystone with the /v3/OS-FEDERATION endpoint enabled via policy.json is affected". We are not using federation in our product & neither is there any mention of this api in our keystone's policy.json, but still we see that any user with a token is able to run GET /v3/OS- FEDERATION/ projects & gets all projects in response.