{
  "threat_severity" : "Important",
  "public_date" : "2019-12-04T00:00:00Z",
  "bugzilla" : {
    "description" : "openstack-keystone: Credentials API allows non-admin to list and retrieve all users credentials",
    "id" : "1781470",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=1781470"
  },
  "cvss3" : {
    "cvss3_base_score" : "8.1",
    "cvss3_scoring_vector" : "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
    "status" : "verified"
  },
  "cwe" : "CWE-522",
  "details" : [ "OpenStack Keystone 15.0.0 and 16.0.0 is affected by Data Leakage in the list credentials API. Any user with a role on a project is able to list any credentials with the /v3/credentials API when enforce_scope is false. Users with a role on a project are able to view any other users' credentials, which could (for example) leak sign-on information for Time-based One Time Passwords (TOTP). Deployments with enforce_scope set to false are affected. (There will be a slight performance impact for the list credentials API once this issue is fixed.)", "A disclosure vulnerability was found in openstack-keystone's credentials API. Users with a project role are able to list any credentials with the /v3/credentials API when enforce_scope is false. Information for time-based one time passwords (TOTP) may also be disclosed. Deployments running keystone with enforce_scope set to false are also affected. There will be a slight performance impact for the list credentials API once this issue is fixed." ],
  "affected_release" : [ {
    "product_name" : "Red Hat OpenStack Platform 15.0 (Stein)",
    "release_date" : "2019-12-19T00:00:00Z",
    "advisory" : "RHSA-2019:4358",
    "cpe" : "cpe:/a:redhat:openstack:15::el8",
    "package" : "openstack-keystone-1:15.0.1-0.20190720060412.5f27c4b.1.el8ost"
  }, {
    "product_name" : "Red Hat OpenStack Platform 16.0 (Train)",
    "release_date" : "2020-02-06T00:00:00Z",
    "advisory" : "RHEA-2020:0283",
    "cpe" : "cpe:/a:redhat:openstack:16::el8",
    "package" : "openstack-keystone-1:16.0.1-0.20191210095025.bd3f637.el8ost"
  } ],
  "package_state" : [ {
    "product_name" : "Red Hat JBoss Fuse 6",
    "fix_state" : "Not affected",
    "package_name" : "jclouds_openstack-keystone_api",
    "cpe" : "cpe:/a:redhat:jboss_fuse:6"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2019-19687\nhttps://nvd.nist.gov/vuln/detail/CVE-2019-19687\nhttps://seclists.org/oss-sec/2019/q4/152\nhttps://security.openstack.org/ossa/OSSA-2019-006.html" ],
  "name" : "CVE-2019-19687",
  "mitigation" : {
    "value" : "To mitigate this issue, set the [oslo_policy] enforce_scope option to 'true' in the keystone.conf file.",
    "lang" : "en:us"
  },
  "csaw" : false
}