Bug 1781470 (CVE-2019-19687) - CVE-2019-19687 openstack-keystone: Credentials API allows non-admin to list and retrieve all users credentials
Summary: CVE-2019-19687 openstack-keystone: Credentials API allows non-admin to list a...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2019-19687
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1782632 1782633 1782634
Blocks: 1781461
TreeView+ depends on / blocked
 
Reported: 2019-12-10 05:22 UTC by Summer Long
Modified: 2021-02-16 20:55 UTC (History)
19 users (show)

Fixed In Version: keystone 16.0.0-5, keystone 15.0.0-18
Doc Type: If docs needed, set a value
Doc Text:
A disclosure vulnerability was found in openstack-keystone's credentials API. Users with a project role are able to list any credentials with the /v3/credentials API when enforce_scope is false. Information for time-based one time passwords (TOTP) may also be disclosed. Deployments running keystone with enforce_scope set to false are also affected. There will be a slight performance impact for the list credentials API once this issue is fixed.
Clone Of:
Environment:
Last Closed: 2019-12-19 20:09:39 UTC
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2019:4358 0 None None None 2019-12-19 19:26:49 UTC

Description Summer Long 2019-12-10 05:22:58 UTC
A vulnerability was found in Keystone's list credentials API. Any user with a role on a project is able to list any credentials with the /v3/credentials API when enforce_scope is false. Users with a role on a project are able to view any other users' credentials, which could leak sign-on information for Time-based One Time Passwords (TOTP) or othewise. Deployments running keystone with enforce_scope set to false are affected. There will be a slight performance impact for the list credentials API once this issue is fixed.
Affects: ==15.0.0, ==16.0.0

Comment 4 Summer Long 2019-12-12 01:03:46 UTC
Upstream issue: https://bugs.launchpad.net/ossa/+bug/1855080

Comment 6 Summer Long 2019-12-12 01:06:36 UTC
Created openstack-keystone tracking bugs for this issue:

Affects: openstack-rdo [bug 1782632]

Comment 8 Summer Long 2019-12-12 01:47:17 UTC
Mitigation:

To mitigate this issue, set the [oslo_policy] enforce_scope option to 'true' in the keystone.conf file.

Comment 10 Summer Long 2019-12-17 23:18:25 UTC
Hi Eric, 'a project role' would be more precise, I think. thx! s

Comment 11 errata-xmlrpc 2019-12-19 19:26:48 UTC
This issue has been addressed in the following products:

  Red Hat OpenStack Platform 15.0 (Stein)

Via RHSA-2019:4358 https://access.redhat.com/errata/RHSA-2019:4358

Comment 12 Product Security DevOps Team 2019-12-19 20:09:39 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2019-19687


Note You need to log in before you can comment on or make changes to this bug.