Lucene search
Redhat.comRH:CVE-2019-19687HistoryDec 12, 2019 - 1:20 a.m.
CVE-2019-19687
2019-12-1201:20:56
redhat.com
access.redhat.com
9
0.018 Low
EPSS
Percentile
88.2%
A disclosure vulnerability was found in openstack-keystone’s credentials API. Users with a project role are able to list any credentials with the /v3/credentials API when enforce_scope is false. Information for time-based one time passwords (TOTP) may also be disclosed. Deployments running keystone with enforce_scope set to false are also affected. There will be a slight performance impact for the list credentials API once this issue is fixed.
Mitigation
To mitigate this issue, set the [oslo_policy] enforce_scope option to 'true' in the keystone.conf file.
Related
redhat
redhat
(RHSA-2019:4358) Important: openstack-keystone security update
2019-12-19 19:16:28
ubuntu
ubuntu
OpenStack Keystone vulnerability
2020-01-30 00:00:00
openvas
openvas
Ubuntu: Security Advisory (USN-4262-1)
2020-01-31 00:00:00
veracode
veracode
Information Disclosure
2019-12-10 03:00:48
osv
osv
CVE-2019-19687
2019-12-09 18:15:09
PYSEC-2019-29
2019-12-09 18:15:00
OpenStack Keystone Credential Leakage
2022-05-24 17:02:55
nessus
nessus
RHEL 8 : openstack-keystone (RHSA-2019:4358)
2024-04-28 00:00:00
Ubuntu 19.10 : OpenStack Keystone vulnerability (USN-4262-1)
2020-01-31 00:00:00
cve
cve
CVE-2019-19687
2019-12-09 18:15:09
nvd
nvd
CVE-2019-19687
2019-12-09 18:15:09
symantec
symantec
OpenStack Keystone CVE-2019-19687 Information Disclosure Vulnerability
2019-12-09 00:00:00
debiancve
debiancve
CVE-2019-19687
2019-12-09 18:15:09
cvelist
cvelist
CVE-2019-19687
2019-12-09 17:14:14
ubuntucve
ubuntucve
CVE-2019-19687
2019-12-09 00:00:00
prion
prion
Design/Logic Flaw
2019-12-09 18:15:00
github
github
OpenStack Keystone Credential Leakage
2022-05-24 17:02:55