oss-sec mailing list archives

[OSSA 2013-013] Keystone client local information disclosure (CVE-2013-2013)

From: Jeremy Stanley <jeremy () openstack org>
Date: Thu, 23 May 2013 20:52:12 +0000

OpenStack Security Advisory: 2013-013
CVE: CVE-2013-2013
Date: May 23, 2013
Title: Keystone client local information disclosure
Reporter: Jake Dahn (Nebula)
Products: python-keystoneclient
Affects: All versions

Description:
Jake Dahn from Nebula reported a vulnerability that the keystone
client only allows passwords to be updated in a clear text
command-line argument, which may enable other local users to obtain
sensitive information by listing the process and potentially leaves
a record of the password within the shell command history.

Fix:
https://review.openstack.org/28702

Notes:
A fix has already been merged to the python-keystoneclient master
branch on 2013-05-21 (commit f2e0818) which adds an interactive
password prompt, and will appear in the next release of
python-keystoneclient.

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2013
https://bugs.launchpad.net/python-keystoneclient/+bug/938315

-- 
Jeremy Stanley (fungi)
OpenStack Vulnerability Management Team

Attachment: signature.asc
Description: Digital signature

Current thread:

[OSSA 2013-013] Keystone client local information disclosure (CVE-2013-2013) Jeremy Stanley (May 23)
- Re: [Openstack] [OSSA 2013-013] Keystone client local information disclosure (CVE-2013-2013) Lloyd Dewolf (Jun 03)
  - Re: [Openstack] [OSSA 2013-013] Keystone client local information disclosure (CVE-2013-2013) Jeremy Stanley (Jun 03)
    - Re: [Openstack] [OSSA 2013-013] Keystone client local information disclosure (CVE-2013-2013) Lloyd Dewolf (Jun 03)
    - Re: [OSSA 2013-013] Keystone client local information disclosure (CVE-2013-2013) Jeremy Stanley (Jun 03)
    - Re: [Openstack] [OSSA 2013-013] Keystone client local information disclosure (CVE-2013-2013) Robert Collins (Jun 03)