OpenStack Identity (keystone)

Overview
Code
Bugs
Blueprints
Translations
Answers

Series ocata
Bug #1779205
Comment #27

Comment 27 for bug 1779205

Revision history for this message

Matthew Thode (prometheanfire) wrote on 2018-07-12: Re: GET /v3/OS-FEDERATION/projects leaks project information

#27

Please review this VMT description for accuracy and clarity.

NOTE: https://security.openstack.org/vmt-process.html#draft-impact-description states that the mitigation method should be specified, but the template (used below) does not have it.

Title: GET /v3/OS-FEDERATION/projects leaks project information
Reporter: Kristi Nikolla
Products: Keystone
Affects: >=2014.1 <=2015.1.4, >=13.0.0 <13.0.1, >=12.0.0 <12.0.1, <11.0.4

Description:
Kristi Nikolla reported a vulnerability in Keystone federation.
By doing GET /v3/OS-FEDERATION/projects an actor may discover
projects they have no authority to access, leaking all projects
in the deployment and their attributes.
Only Keystone with the OS-FEDERATION endpoint enabled is affected.