CVE-2014-3621 — OpenStack Identity Keystone Exposure of Sensitive Information

Description

The catalog url replacement in OpenStack Identity (Keystone) before 2013.2.3 and 2014.1 before 2014.1.2.1 allows remote authenticated users to read sensitive configuration options via a crafted endpoint, as demonstrated by "$(admin_token)" in the publicurl endpoint field.

How to fix CVE-2014-3621

To remediate CVE-2014-3621, upgrade the affected package to a fixed version below.

Debian/keystone—upgrade to 2014.1.3-1 or later
PyPI/keystone—upgrade to 8.0.0a0 or later

Is CVE-2014-3621 being exploited?

Low — EPSS is 0.4%, meaning exploitation activity has not been observed at scale.

Affected packages (2)

from 0, < 2014.1.3-1
from 0, < 8.0.0a0

References (15)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2014-3621
ADVISORYsecurity-tracker.debian.org/tracker/CVE-2014-3621
WEBrhn.redhat.com/errata/RHSA-2014-1688.html
WEBrhn.redhat.com/errata/RHSA-2014-1789.html
WEB