Information Disclosure

2019-01-1509:02:43

Veracode Vulnerability Database

sca.analysiscenter.veracode.com

0.003 Low

EPSS

Percentile

71.5%

JSON

openstack-keystone is vulnerable to information disclosure attacks. The vulnerability exists as the catalog url replacement in OpenStack Identity (Keystone) before 2013.2.3 and 2014.1 before 2014.1.2.1 allows remote authenticated users to read sensitive configuration options via a crafted endpoint, as demonstrated by “$(admin_token)” in the publicurl endpoint field.

CPENameOperatorVersion
openstack-keystoneeq2014.1.1__1.el6ost
openstack-keystoneeq2012.2.3__4.el6ost
openstack-keystoneeq2013.2__3.el6ost
openstack-keystoneeq2014.1.2.1__2.el7ost
openstack-keystoneeq2012.2__6.el6
openstack-keystoneeq2012.2.3__3.el6ost
openstack-keystoneeq2013.2.2__1.el6ost
openstack-keystoneeq2012.1.3__3.el6
openstack-keystoneeq2013.1.3__2.el6ost
openstack-keystoneeq13.0.0__1.el7

Name	Operator	Version
openstack-keystone	eq	2014.1.1__1.el6ost
openstack-keystone	eq	2012.2.3__4.el6ost
openstack-keystone	eq	2013.2__3.el6ost
openstack-keystone	eq	2014.1.2.1__2.el7ost
openstack-keystone	eq	2012.2__6.el6
openstack-keystone	eq	2012.2.3__3.el6ost
openstack-keystone	eq	2013.2.2__1.el6ost
openstack-keystone	eq	2012.1.3__3.el6
openstack-keystone	eq	2013.1.3__2.el6ost
openstack-keystone	eq	13.0.0__1.el7