← Back to team overview

openstack team mailing list archive

[OSSA 2013-013] Keystone client local information disclosure (CVE-2013-2013)

 

OpenStack Security Advisory: 2013-013
CVE: CVE-2013-2013
Date: May 23, 2013
Title: Keystone client local information disclosure
Reporter: Jake Dahn (Nebula)
Products: python-keystoneclient
Affects: All versions

Description:
Jake Dahn from Nebula reported a vulnerability that the keystone
client only allows passwords to be updated in a clear text
command-line argument, which may enable other local users to obtain
sensitive information by listing the process and potentially leaves
a record of the password within the shell command history.

Fix:
https://review.openstack.org/28702

Notes:
A fix has already been merged to the python-keystoneclient master
branch on 2013-05-21 (commit f2e0818) which adds an interactive
password prompt, and will appear in the next release of
python-keystoneclient.

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2013
https://bugs.launchpad.net/python-keystoneclient/+bug/938315

-- 
Jeremy Stanley (fungi)
OpenStack Vulnerability Management Team

Attachment: signature.asc
Description: Digital signature


Follow ups