python-keystoneclient

  1. Bug #938315
  2. Comment #5

Comment 5 for bug 938315

Revision history for this message
Kurt Seifried (kseifried) wrote : Re: Updating password via keystoneclient CLI should be done securely.

Assigned a CVE for this as per http://openwall.com/lists/oss-security/2013/04/26/6

While auditing OpenStack bugs for flaws needing CVE's I came across
this (as of yet unfixed) one:

https://bugs.launchpad.net/python-keystoneclient/+bug/938315

[root@...s ~]# keystone user-password-update --user=jake
usage: keystone user-password-update --pass <password> <user-id>
keystone user-password-update: error: too few arguments

This class of vuln typically gets a CVE.

http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=command+line+password

CVE text:

OpenStack keystone places a username and password on the command line,
which allows local users to obtain credentials by listing the process.

Please use CVE-2013-2013 for this issue.