VDB
CVE-2018-14432
CVE-2018-14432
REJECTED
In the Federation component of OpenStack Keystone before 11.0.4, 12.0.0, and 13.0.0, an authenticated "GET /v3/OS-FEDERATION/projects" request may bypass intended access restrictions on listing projects. An authenticated user may discover projects they have no authority to access, leaking all projects in the deployment and their attributes. Only Keystone with the /v3/OS-FEDERATION endpoint enabled via policy.json is affected.
EPSS 1.14% · 78.8th percentile
Risk Scores
EPSS Score
1.14%
78.8th percentile
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Ubuntu:16.04:LTS | keystone | *, 2:9.0.2-0ubuntu2, 2:9.1.0-0ubuntu1 |
| Ubuntu:18.04:LTS | keystone | 2:13.0.0~b2-0ubuntu1, *, * |
Exploit Intelligence
- RHSA-2018:2543 (circl)
- RHSA-2018:2533 (circl)
- [oss-security] 20180725 [OSSA-2018-002] GET /v3/OS-FEDERATION/projects leaks project information (CVE-2018-14432) (circl)
- RHSA-2018:2523 (circl)
- 104930 (circl)
- DSA-4275 (circl)
Timeline
- Jul 31, 2018 CVE Published
- Apr 14, 2021 EPSS Score
- Jun 23, 2021 EPSS Score
- Aug 24, 2021 EPSS Score
- Oct 26, 2021 EPSS Score
- Feb 28, 2022 EPSS Score
- May 2, 2022 EPSS Score
- Jul 3, 2022 EPSS Score
- Sep 5, 2022 EPSS Score
- Nov 6, 2022 EPSS Score
- Jan 8, 2023 EPSS Score
- Mar 7, 2023 EPSS Score
References
- https://ubuntu.com/security/CVE-2018-14432 third-party-advisory
- http://www.openwall.com/lists/oss-security/2018/07/25/2 third-party-advisory
- https://www.cve.org/CVERecord?id=CVE-2018-14432 third-party-advisory