CVE-2018-14432
MEDIUM5.3EPSS 1.1%keystone - security update
發布日:2018/7/31修改日:2026/4/28
也稱為:DEBIAN-CVE-2018-14432
描述
In the Federation component of OpenStack Keystone before 11.0.4, 12.0.0, and 13.0.0, an authenticated "GET /v3/OS-FEDERATION/projects" request may bypass intended access restrictions on listing projects. An authenticated user may discover projects they have no authority to access, leaking all projects in the deployment and their attributes. Only Keystone with the /v3/OS-FEDERATION endpoint enabled via policy.json is affected.
受影響套件(2)
- Debian/keystonefrom 0, < 2:13.0.0-7
- Debian/keystonefrom 0, < 2:10.0.0-9+deb9u1
CVSS 分數
| 來源 | 版本 | 嚴重程度 | 向量 |
|---|---|---|---|
| osv | CVSS 3.1 | MEDIUM5.3 | CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N |