openstack-keystone is vulnerable to information disclosure. An authorization bypass on the listing projects via an authenticated GET /v3/OS-FEDERATION/projects
request allows authenticated users to discover projects they have no authority to access, disclosing the project and attributes information.