[OSSA-2018-002] GET /v3/OS-FEDERATION/projects leaks project information (CVE-2018-14432)
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Identity (keystone) |
Fix Released
|
Critical
|
Lance Bragstad | ||
Ocata |
Fix Released
|
Critical
|
Lance Bragstad | ||
Pike |
Fix Released
|
Critical
|
Lance Bragstad | ||
Queens |
Fix Released
|
Critical
|
Lance Bragstad | ||
Rocky |
Fix Released
|
Critical
|
Lance Bragstad | ||
OpenStack Security Advisory |
Fix Released
|
Undecided
|
Matthew Thode |
Bug Description
The /v3/OS-
Eventually the /v3/OS-
The /v3/OS-
lbragstad|
clouds:
devstack:
auth:
auth_url: http://
password: nomoresecret
project_
project_name: demo
user_
username: demo
identity_
region_name: RegionOne
volume_
devstack-admin:
auth:
auth_url: http://
password: nomoresecret
project_
project_name: admin
user_
username: admin
identity_
region_name: RegionOne
volume_
devstack-alt:
auth:
auth_url: http://
password: nomoresecret
project_
project_name: alt_demo
user_
username: alt_demo
identity_
region_name: RegionOne
volume_
lbragstad|
+------
| Role | User | Group | Project | Domain | Inherited |
+------
| member | | nonadmins@Default | demo@Default | | False |
| anotherrole | | nonadmins@Default | demo@Default | | False |
| member | | nonadmins@Default | alt_demo@Default | | False |
| anotherrole | | nonadmins@Default | alt_demo@Default | | False |
| admin | | admins@Default | admin@Default | | False |
| admin | admin@Default | | demo@Default | | False |
| admin | admin@Default | | admin@Default | | False |
| admin | admin@Default | | alt_demo@Default | | False |
| admin | admin@Default | | | Default | False |
| member | demo@Default | | demo@Default | | False |
| anotherrole | demo@Default | | demo@Default | | False |
| member | demo@Default | | invisible_
| member | alt_demo@Default | | alt_demo@Default | | False |
| anotherrole | alt_demo@Default | | alt_demo@Default | | False |
| admin | admin@Default | | | | False |
+------
lbragstad|
+------
| Field | Value |
+------
| expires | 2018-06-
| id | gAAAAABbNT8jpqw
| project_id | 44053df0d12f4ba
| user_id | cef2773684114d5
+------
lbragstad|
uuESisyzj36w'
lbragstad|
% Total % Received % Xferd Average Speed Time Time Time Current
100 669 100 669 0 0 20476 0 --:--:-- --:--:-- --:--:-- 20906
{
"links": {
"next": null,
"previous": null,
"self": "http://
},
"projects": [
{
"id": "44053df0d12f4b
},
"name": "demo",
"tags": []
},
{
"id": "8c92de6ab3884f
},
"name": "invisible_
"tags": []
}
]
}
lbragstad|
% Total % Received % Xferd Average Speed Time Time Time Current
100 1270 100 1270 0 0 17528 0 --:--:-- --:--:-- --:--:-- 17638
{
"links": {
"next": null,
"previous": null,
"self": "http://
},
"projects": [
{
"id": "44053df0d12f4b
},
"name": "demo",
"tags": []
},
{
"id": "681b94352ed146
},
"name": "admin",
"tags": []
},
{
"id": "9a742b4684dc4c
},
"name": "alt_demo",
"tags": []
},
{
"id": "8c92de6ab3884f
},
"name": "invisible_
"tags": []
}
]
}
Notice that I used the devstack cloud config, which specifies the demo user who only has the `member` and `anotherrole` assigned on two projects (demo and invisible_
CVE References
Changed in ossa: | |
status: | Incomplete → Confirmed |
Changed in ossa: | |
status: | Triaged → Fix Committed |
assignee: | nobody → Matthew Thode (prometheanfire) |
information type: | Private Security → Public Security |
summary: |
- GET /v3/OS-FEDERATION/projects leaks project information + [OSSA-2018-002] GET /v3/OS-FEDERATION/projects leaks project information + (CVE--2018-14432) |
Changed in ossa: | |
status: | Fix Committed → Fix Released |
status: | Fix Released → Fix Committed |
description: | updated |
summary: |
[OSSA-2018-002] GET /v3/OS-FEDERATION/projects leaks project information - (CVE--2018-14432) + (CVE-2018-14432) |
Changed in ossa: | |
status: | Fix Committed → Fix Released |
Kristi came to me with this today in a private IRC discussion. We confirmed the bug, but we accidentally put the results in paste.openstack.org [0][1]. Someone could discover this issue by scrubbing paste (including for full disclosure).
[0] http:// paste.openstack .org/show/ 724547/ paste.openstack .org/show/ manColzRRAOHKGr ZhyNQ/
[1] http://