CVE-2014-3621
OpenStack Keystone <2013.2.3/2014.1<2014.1.2.1 Authenticated Sensitive Info Exposure
Title source: llmDescription
The catalog url replacement in OpenStack Identity (Keystone) before 2013.2.3 and 2014.1 before 2014.1.2.1 allows remote authenticated users to read sensitive configuration options via a crafted endpoint, as demonstrated by "$(admin_token)" in the publicurl endpoint field.
References (6)
Core 6
Core References
Third Party Advisory vendor-advisory
x_refsource_redhat
http://rhn.redhat.com/errata/RHSA-2014-1789.html
Third Party Advisory vendor-advisory
x_refsource_redhat
http://rhn.redhat.com/errata/RHSA-2014-1688.html
Mailing List, Patch, Third Party Advisory mailing-list
x_refsource_mlist
http://www.openwall.com/lists/oss-security/2014/09/16/10
Third Party Advisory vendor-advisory
x_refsource_ubuntu
http://www.ubuntu.com/usn/USN-2406-1
Exploit, Issue Tracking, Third Party Advisory x_refsource_confirm
https://bugs.launchpad.net/keystone/+bug/1354208
Third Party Advisory vendor-advisory
x_refsource_redhat
http://rhn.redhat.com/errata/RHSA-2014-1790.html
Scores
EPSS
0.0043
EPSS Percentile
62.4%
Details
CWE
CWE-200
Status
published
Products (5)
canonical/ubuntu_linux
14.04
openstack/keystone
2013.2 - 2013.2.3
pypi/keystone
0 - 8.0.0a0PyPI
redhat/openstack
5.0
redhat/openstack
4.0
Published
Oct 02, 2014
Tracked Since
Feb 18, 2026