PowerVC has addressed the following vulnerability. An authenticated “GET /v3/OS-FEDERATION/projects” request to the identity API may bypass intended access restrictions on listing projects. An authenticated user may discover projects they have no authority to access, leaking all projects in the deployment and their attributes.
CVE-ID: CVE-2018-14432
Description: An authenticated “GET /v3/OS-FEDERATION/projects” request may bypass intended access restrictions on listing projects. An authenticated user may discover projects they have no authority to access, leaking all projects in the deployment and their attributes.
CVSS Base Score: 4.3
CVSS Temporal Score: <https://exchange.xforce.ibmcloud.com/vulnerabilities/147412> for more information
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N)
Affected Product | Affected Versions |
---|---|
IBM PowerVC Standard | 1.3.3 |
IBM PowerVC Standard | 1.4.0 |
IBM PowerVC Standard | 1.4.1 |
IBM Cloud PowerVC Manager | 1.3.3 |
IBM Cloud PowerVC Manager | 1.4.0 |
IBM Cloud PowerVC Manager | 1.4.1 |
Product | VRMF | APAR | Remediation / First Fix |
---|
IBM PowerVC Standard and
IBM Cloud PowerVC Manager
IBM PowerVC Standard and
IBM Cloud PowerVC Manager
IBM PowerVC Standard and
IBM Cloud PowerVC Manager
None