openstack-keystone: Credentials API allows non-admin to list and retrieve all users credentials
A disclosure vulnerability was found in openstack-keystone's credentials API. Users with a project role are able to list any credentials with the /v3/credentials API when enforcescope is false. Information for time-based one time passwords TOTP may also be disclosed. Deployments running keystone...