[OSSA-2018-002] GET /v3/OS-FEDERATION/projects leaks project information (CVE-2018-14432)
OSSA-2018-002: GET /v3/OS-FEDERATION/projects leaks project information
Kristi Nikolla with Boston University reported a vulnerability in
Keystone federation. By doing GET /v3/OS-FEDERATION/projects an
authenticated user may discover projects they have no authority to
access, leaking all projects in the deployment and their attributes.
Only Keystone with the /v3/OS-FEDERATION endpoint enabled via
policy.json is affected.