A vulnerability was found in Keystone's list credentials API. Any user with a role on a project is able to list any credentials with the /v3/credentials API when enforce_scope is false. Users with a role on a project are able to view any other users' credentials, which could leak sign-on information for Time-based One Time Passwords (TOTP) or othewise. Deployments running keystone with enforce_scope set to false are affected. There will be a slight performance impact for the list credentials API once this issue is fixed. Affects: ==15.0.0, ==16.0.0
Upstream patches: master: https://git.openstack.org/cgit/openstack/keystone/commit/?id=17c337dbdbfb9d548ad531c2ad0483c9bce5b98f train: https://git.openstack.org/cgit/openstack/keystone/commit/?id=bd3f63787151183f4daa43578aa491856fefae5b stein: https://git.openstack.org/cgit/openstack/keystone/commit/?id=17947516b0095c51da5cff94771247f2e7c44ee6
Upstream issue: https://bugs.launchpad.net/ossa/+bug/1855080
External References: https://security.openstack.org/ossa/OSSA-2019-006.html https://seclists.org/oss-sec/2019/q4/152
Created openstack-keystone tracking bugs for this issue: Affects: openstack-rdo [bug 1782632]
Mitigation: To mitigate this issue, set the [oslo_policy] enforce_scope option to 'true' in the keystone.conf file.
Hi Eric, 'a project role' would be more precise, I think. thx! s
This issue has been addressed in the following products: Red Hat OpenStack Platform 15.0 (Stein) Via RHSA-2019:4358 https://access.redhat.com/errata/RHSA-2019:4358
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2019-19687