Lucene search

[email protected]CVE-2014-3621

HistoryOct 02, 2014 - 2:55 p.m.

CVE-2014-3621

2014-10-0214:55:03

CWE-200

[email protected]

web.nvd.nist.gov

cve-2014-3621

openstack identity

keystone

remote code execution

security vulnerability

nvd

4 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:L/Au:S/C:P/I:N/A:N

5.8 Medium

AI Score

Confidence

Low

0.003 Low

EPSS

Percentile

71.5%

JSON

The catalog url replacement in OpenStack Identity (Keystone) before 2013.2.3 and 2014.1 before 2014.1.2.1 allows remote authenticated users to read sensitive configuration options via a crafted endpoint, as demonstrated by “$(admin_token)” in the publicurl endpoint field.

Affected configurations

NVD

Node

openstackkeystoneRange2013.2–2013.2.3

openstackkeystoneRange2014.1–2014.1.2.1

Node

canonicalubuntu_linuxMatch14.04lts

Node

redhatopenstackMatch5.0

AND

redhatenterprise_linuxMatch6.0

redhatenterprise_linuxMatch7.0

Node

redhatopenstackMatch4.0

CPENameOperatorVersion
openstack:keystoneopenstack keystonelt2013.2.3
openstack:keystoneopenstack keystonelt2014.1.2.1

CPE	Name	Operator	Version
openstack:keystone	openstack keystone	lt	2013.2.3
openstack:keystone	openstack keystone	lt	2014.1.2.1

References

rhn.redhat.com/errata/RHSA-2014-1688.html

rhn.redhat.com/errata/RHSA-2014-1789.html

rhn.redhat.com/errata/RHSA-2014-1790.html

www.openwall.com/lists/oss-security/2014/09/16/10

www.ubuntu.com/usn/USN-2406-1

bugs.launchpad.net/keystone/+bug/1354208

4 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:L/Au:S/C:P/I:N/A:N

5.8 Medium

AI Score

Confidence

Low

0.003 Low

EPSS

Percentile

71.5%

JSON

Related for CVE-2014-3621

nessus2 openvas1 ubuntu1 ubuntucve1 veracode1 cvelist1 redhat3 debiancve1 prion1 github1 securityvulns2 nvd1