CVE-2014-3621 — MEDIUM (4.0)

Q: How severe is CVE-2014-3621?

CVE-2014-3621 has been rated MEDIUM with a CVSS base score of 4.0/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2014-3621?

Check the references section above for vendor advisories and patch information. Affected products include: Openstack Keystone, Canonical Ubuntu Linux, Redhat Openstack, Redhat Enterprise Linux.

Vulnerability Description

The catalog url replacement in OpenStack Identity (Keystone) before 2013.2.3 and 2014.1 before 2014.1.2.1 allows remote authenticated users to read sensitive configuration options via a crafted endpoint, as demonstrated by "$(admin_token)" in the publicurl endpoint field.

CVSS Score

4.0

MEDIUM

AV:N/AC:L/Au:S/C:P/I:N/A:N

Confidentiality

PARTIAL

Integrity

NONE

Availability

NONE

Affected Products

Vendor	Product	Versions
Openstack	Keystone	>= 2013.2, < 2013.2.3
Canonical	Ubuntu Linux	14.04
Redhat	Openstack	5.0
Redhat	Enterprise Linux	6.0

Related Weaknesses (CWE)

CWE-200

References

http://rhn.redhat.com/errata/RHSA-2014-1688.htmlThird Party Advisory
http://rhn.redhat.com/errata/RHSA-2014-1789.htmlThird Party Advisory
http://rhn.redhat.com/errata/RHSA-2014-1790.htmlThird Party Advisory
http://www.openwall.com/lists/oss-security/2014/09/16/10Mailing ListPatchThird Party Advisory
http://www.ubuntu.com/usn/USN-2406-1Third Party Advisory
https://bugs.launchpad.net/keystone/+bug/1354208ExploitIssue TrackingThird Party Advisory
http://rhn.redhat.com/errata/RHSA-2014-1688.htmlThird Party Advisory
http://rhn.redhat.com/errata/RHSA-2014-1789.htmlThird Party Advisory
http://rhn.redhat.com/errata/RHSA-2014-1790.htmlThird Party Advisory
http://www.openwall.com/lists/oss-security/2014/09/16/10Mailing ListPatchThird Party Advisory
http://www.ubuntu.com/usn/USN-2406-1Third Party Advisory
https://bugs.launchpad.net/keystone/+bug/1354208ExploitIssue TrackingThird Party Advisory

FAQ

What is CVE-2014-3621?

CVE-2014-3621 is a vulnerability with a CVSS score of 4.0 (MEDIUM). The catalog url replacement in OpenStack Identity (Keystone) before 2013.2.3 and 2014.1 before 2014.1.2.1 allows remote authenticated users to read sensitive configuration options via a crafted endpoi...

How severe is CVE-2014-3621?

CVE-2014-3621 has been rated MEDIUM with a CVSS base score of 4.0/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2014-3621?

Check the references section above for vendor advisories and patch information. Affected products include: Openstack Keystone, Canonical Ubuntu Linux, Redhat Openstack, Redhat Enterprise Linux.