[OSSA-2019-006] Credentials API allows listing and retrieving of all users credentials (CVE-2019-19687)
===================================================================================== OSSA-2019-006: Credentials API allows listing and retrieving of all users credentials =====================================================================================
:Date: December 09, 2019 :CVE: CVE-2019-19687
Affects ~~~~~~~ - Keystone: ==15.0.0, ==16.0.0
Description ~~~~~~~~~~~ Daniel Preussker reported a vulnerability in Keystone's list credentials API. Any user with a role on a project is able to list any credentials with the /v3/credentials API when [oslo_policy] enforce_scope is false. Users with a role on a project are able to view any other users credentials, which could leak sign-on information for Time-based One Time Passwords (TOTP) or othewise. Deployments running keystone with [oslo_policy] enforce_scope set to false are affected. There will be a slight performance impact for the list credentials API once this issue is fixed.