Local Information Disclosure in Keystone Client by OpenStack
CVE-2013-2013

Currently unrated

Key Information:

Vendor: Openstack
Status: Python-keystoneclient
Vendor: CVE Published:; 1 October 2013

Summary

The user-password-update command in the Keystone Client for OpenStack allows local users to exploit the --password argument to potentially expose sensitive information. This can be achieved by listing the process and retrieving passwords that should otherwise remain confidential. It is important for users of versions prior to 0.2.4 to be aware of this security flaw and implement necessary precautions.

References

http://www.openwall.com/lists/oss-security/2013/05/23/4

mailing-listx_refsource_MLIST

https://oval.cisecurity.org/repository/search/definition/...

vdb-entrysignaturex_refsource_OVAL

https://bugs.launchpad.net/python-keystoneclient/+bug/938315

x_refsource_CONFIRM

Timeline

Vulnerability published
Oct 1, 2013
Vulnerability Reserved
Feb 19, 2013