CVE-2018-14432 — MEDIUM (5.3)

Q: How severe is CVE-2018-14432?

CVE-2018-14432 has been rated MEDIUM with a CVSS base score of 5.3/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2018-14432?

Check the references section above for vendor advisories and patch information. Affected products include: Debian Debian Linux, Redhat Openstack, Openstack Keystone.

Vulnerability Description

In the Federation component of OpenStack Keystone before 11.0.4, 12.0.0, and 13.0.0, an authenticated "GET /v3/OS-FEDERATION/projects" request may bypass intended access restrictions on listing projects. An authenticated user may discover projects they have no authority to access, leaking all projects in the deployment and their attributes. Only Keystone with the /v3/OS-FEDERATION endpoint enabled via policy.json is affected.

CVSS Score

5.3

MEDIUM

CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

HIGH

Integrity

NONE

Availability

NONE

Affected Products

Vendor	Product	Versions
Debian	Debian Linux	9.0
Redhat	Openstack	10
Openstack	Keystone	< 11.0.4

Related Weaknesses (CWE)

CWE-200

References

http://www.openwall.com/lists/oss-security/2018/07/25/2Mailing ListPatchThird Party Advisory
http://www.securityfocus.com/bid/104930Third Party AdvisoryVDB Entry
https://access.redhat.com/errata/RHSA-2018:2523Vendor Advisory
https://access.redhat.com/errata/RHSA-2018:2533Vendor Advisory
https://access.redhat.com/errata/RHSA-2018:2543Vendor Advisory
https://www.debian.org/security/2018/dsa-4275Third Party Advisory
http://www.openwall.com/lists/oss-security/2018/07/25/2Mailing ListPatchThird Party Advisory
http://www.securityfocus.com/bid/104930Third Party AdvisoryVDB Entry
https://access.redhat.com/errata/RHSA-2018:2523Vendor Advisory
https://access.redhat.com/errata/RHSA-2018:2533Vendor Advisory
https://access.redhat.com/errata/RHSA-2018:2543Vendor Advisory
https://www.debian.org/security/2018/dsa-4275Third Party Advisory

FAQ

What is CVE-2018-14432?

CVE-2018-14432 is a vulnerability with a CVSS score of 5.3 (MEDIUM). In the Federation component of OpenStack Keystone before 11.0.4, 12.0.0, and 13.0.0, an authenticated "GET /v3/OS-FEDERATION/projects" request may bypass intended access restrictions on listing projec...

How severe is CVE-2018-14432?

CVE-2018-14432 has been rated MEDIUM with a CVSS base score of 5.3/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2018-14432?

Check the references section above for vendor advisories and patch information. Affected products include: Debian Debian Linux, Redhat Openstack, Openstack Keystone.