PYSEC-2019-29

See a problem?
Import Source
https://github.com/pypa/advisory-database/blob/main/vulns/keystone/PYSEC-2019-29.yaml
JSON Data
https://api.osv.dev/v1/vulns/PYSEC-2019-29
Aliases
Published
2019-12-09T18:15:00Z
Modified
2023-11-08T04:01:28.914832Z
Summary
[none]
Details

OpenStack Keystone 15.0.0 and 16.0.0 is affected by Data Leakage in the list credentials API. Any user with a role on a project is able to list any credentials with the /v3/credentials API when enforcescope is false. Users with a role on a project are able to view any other users' credentials, which could (for example) leak sign-on information for Time-based One Time Passwords (TOTP). Deployments with enforcescope set to false are affected. (There will be a slight performance impact for the list credentials API once this issue is fixed.)

References

Affected packages

PyPI / keystone

Package

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
16.0.1

Affected versions

12.*

12.0.2
12.0.3

13.*

13.0.2
13.0.3
13.0.4

14.*

14.0.0
14.0.1
14.1.0
14.2.0

15.*

15.0.0.0rc1
15.0.0.0rc2
15.0.0
15.0.1

16.*

16.0.0.0rc1
16.0.0.0rc2
16.0.0