Bug 957033 (CVE-2013-2013) - CVE-2013-2013 OpenStack keystone: password disclosure on command line
Summary: CVE-2013-2013 OpenStack keystone: password disclosure on command line
Keywords:
Status: CLOSED WONTFIX
Alias: CVE-2013-2013
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard: impact=low,public=20120222,reported=2...
Depends On: 957034 957035 957036 971746 971837
Blocks: 957037
TreeView+ depends on / blocked
 
Reported: 2013-04-26 08:29 UTC by Kurt Seifried
Modified: 2019-06-08 19:33 UTC (History)
22 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2014-03-07 00:32:12 UTC


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Launchpad 938315 None None None Never

Description Kurt Seifried 2013-04-26 08:29:59 UTC
Jake Dahn reports:

Updating password via CLI should be done via a secure password prompt, not text.

current: keystone user-password-update --user=jake --password=foo

expected: keystone user-password-update --user=jake
                        Password:
                        Repeat Password:

OpenStack keystone places a username and password on the command line,
which allows local users to obtain credentials by listing the process.

Comment 1 Kurt Seifried 2013-04-26 08:33:36 UTC
Created openstack-keystone tracking bugs for this issue

Affects: fedora-all [bug 957034]

Comment 2 Kurt Seifried 2013-04-26 08:34:34 UTC
Created openstack-keystone tracking bugs for this issue

Affects: epel-6 [bug 957035]

Comment 5 Kurt Seifried 2013-05-22 23:38:58 UTC
Jeremy Stanley (jeremy@openstack.org) reports:

Title: Keystone client local information disclosure
Reporter: Jake Dahn (Nebula)
Products: python-keystoneclient
Affects: All versions

Description:
Jake Dahn from Nebula reported a vulnerability that the keystone
client only allows passwords to be updated in a clear text
command-line argument, which may enable other local users to obtain
sensitive information by listing the process and potentially leaves
a record of the password within the shell command history.

Fix:
https://review.openstack.org/28702

External references:
https://bugs.launchpad.net/python-keystoneclient/+bug/938315

Comment 6 Jan Lieskovsky 2013-06-07 11:40:17 UTC
Created python-keystoneclient tracking bugs for this issue

Affects: fedora-rawhide [bug 971837]

Comment 7 Alan Pevec 2013-06-28 19:16:48 UTC
Fixed in python-keystoneclient 0.2.4

http://github.com/openstack/python-keystoneclient/commit/f2e0818bc97bfbeba83f6abbb07909a8debcad77

Comment 8 Fedora Update System 2013-08-19 18:07:38 UTC
python-keystoneclient-0.2.0-3.el6 has been pushed to the Fedora EPEL 6 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 9 Fedora Update System 2013-08-21 00:08:58 UTC
python-keystoneclient-0.2.0-2.fc18 has been pushed to the Fedora 18 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 10 Garth Mollett 2014-03-07 00:32:12 UTC
Statement:

The Red Hat Security Response Team has rated this issue as having Low security impact. This issue is not currently planned to be addressed in future updates. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/.


Note You need to log in before you can comment on or make changes to this bug.