Updated, please review: Title: Credentials API allows non-admin to list and retrieve every users' credentials Reporter: Daniel 'f0o' Preussker Products: Keystone Affects: ==15.0.0, ==16.0.0
Description: Daniel 'f0o' Preussker reported a vulnerability in Keystone's list credentials API. Any user with a role on a project is able to list any credentials with the /v3/credentials API when enforce_scope is false. Users with a role on a project are able to view any other users' credentials, which could leak sign-on information for Time-based One Time Passwords (TOTP) or othewise. Deployments running keystone with enforce_scope set to false are affected. There will be a slight performance impact for the list credentials API once this issue is fixed. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1855080 Title: Credentials API allows listing and retrieving of all users' credentials To manage notifications about this bug go to: https://bugs.launchpad.net/keystone/+bug/1855080/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
