I wrote up an impact description for use in an upcoming OpenStack Security Advisory and associated CVE request. Please suggest any improvements or suggestions:
Title: Credentials API allows listing and retrieving of all user's credentials Reporter: Daniel 'f0o' Preussker () Products: Keystone Affects: >=15.0.0, <=16.0.0 Description: Daniel 'f0o' Preussker reported a vulnerability in Keystone's list credentials API. Any user with a role on a project is able to list any credentials with the /v3/credentials API when enforce_scope is false. Users with a role on a project are able to view any other users' credentials, which could leak sign-on information for Time-based One Time Passwords (TOTP) or othewise. Deployments running keystone with enforce_scope set to false are affected. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1855080 Title: Credentials API allows listing and retrieving of all user's credentials To manage notifications about this bug go to: https://bugs.launchpad.net/keystone/+bug/1855080/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
