CVE-2018-14432
keystone - security update
5.3
MEDIUM
CVSS 3.1
EPSS 1.1%
Description
In the Federation component of OpenStack Keystone before 11.0.4, 12.0.0, and 13.0.0, an authenticated "GET /v3/OS-FEDERATION/projects" request may bypass intended access restrictions on listing projects. An authenticated user may discover projects they have no authority to access, leaking all projects in the deployment and their attributes. Only Keystone with the /v3/OS-FEDERATION endpoint enabled via policy.json is affected.
How to fix CVE-2018-14432
To remediate CVE-2018-14432, upgrade the affected package to a fixed version below.
- —upgrade to 2:13.0.0-7 or later
- —upgrade to 2:10.0.0-9+deb9u1 or later
Is CVE-2018-14432 being exploited?
Low — EPSS is 1.1%, meaning exploitation activity has not been observed at scale.
Affected packages (2)
- from 0, < 2:13.0.0-7
- from 0, < 2:10.0.0-9+deb9u1
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | MEDIUM5.3 | CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N |