openstack keystone is vulnerable to information disclosure. Any authenticated user is able to list the credentials of any user using the /v3/credentials
API when enforce_scope
is set to false
. The leaked credentials include sign-on information for Time-based OTP.
www.openwall.com/lists/oss-security/2019/12/11/8
access.redhat.com/errata/RHSA-2019:4358
bugs.launchpad.net/keystone/+bug/1855080
bugs.launchpad.net/keystone/+bug/968696
review.opendev.org/#/c/697355/
review.opendev.org/#/c/697611/
review.opendev.org/#/c/697731/
security.openstack.org/ossa/OSSA-2019-006.html