Add OSSA-2018-002, CVE-2018-14432 for publishing

Change-Id: If0012892449a6d1612b55d685cfd5e3c8ea49868
2018-07-25 10:53:57 -05:00 · 2018-07-25 10:53:57 -05:00 · 837d69c5c6
parent 637f05f338
commit 837d69c5c6
1 changed files with 41 additions and 0 deletions
--- a/ossa/OSSA-2018-002.yaml
+++ b/ossa/OSSA-2018-002.yaml
@ -0,0 +1,41 @@
+date: 2018-07-25
+
+id: OSSA-2018-002
+
+title: GET /v3/OS-FEDERATION/projects leaks project information
+
+description: >
+  Kristi Nikolla with Boston University reported a vulnerability
+  in Keystone federation. By doing GET /v3/OS-FEDERATION/projects
+  an authenticated user may discover projects they have no
+  authority to access, leaking all projects in the deployment and
+  their attributes.
+  Only Keystone with the /v3/OS-FEDERATION endpoint enabled via
+  policy.json is affected.
+
+affected-products:
+  - product: keystone
+    version: '<11.0.4, ==12.0.0, ==13.0.0'
+
+vulnerabilities:
+  - cve-id: CVE-2018-14432
+
+reporters:
+  - name: Kristi Nikolla
+    affiliation: Boston University
+    reported:
+      - CVE-2018-14432
+
+issues:
+  links:
+    - https://launchpad.net/bugs/1779205
+
+reviews:
+  rocky:
+    - https://review.openstack.org/585782
+  queens:
+    - https://review.openstack.org/585788
+  pike:
+    - https://review.openstack.org/585792
+  ocata:
+    - https://review.openstack.org/585802