CVE-2014-3621

Openstack Keystone < 2013.2.3 - Information Disclosure

Title source: rule

Description

The catalog url replacement in OpenStack Identity (Keystone) before 2013.2.3 and 2014.1 before 2014.1.2.1 allows remote authenticated users to read sensitive configuration options via a crafted endpoint, as demonstrated by "$(admin_token)" in the publicurl endpoint field.

References (6)

[Third Party Advisory] http://rhn.redhat.com/errata/RHSA-2014-1688.html

[Third Party Advisory] http://rhn.redhat.com/errata/RHSA-2014-1789.html

[Third Party Advisory] http://rhn.redhat.com/errata/RHSA-2014-1790.html

[Mailing List, Patch, Third Party Advisory] http://www.openwall.com/lists/oss-security/2014/09/16/10

[Third Party Advisory] http://www.ubuntu.com/usn/USN-2406-1

[Exploit, Issue Tracking, Third Party Advisory] https://bugs.launchpad.net/keystone/+bug/1354208

Scores

EPSS 0.0043

EPSS Percentile 61.9%

Classification

CWE

CWE-200

Status draft

Affected Products (5)

openstack/keystone < 2013.2.3

canonical/ubuntu_linux

redhat/openstack

redhat/openstack

pypi/keystone < 8.0.0a0PyPI

Timeline

Published Oct 02, 2014

Tracked Since Feb 18, 2026