Home > Vulnerability Database > CVE-2019-19687

WhiteSource Vulnerability Database

CVE-2019-19687

Good to know:

Date: December 19, 2019

OpenStack Keystone 15.0.0 and 16.0.0 is affected by Data Leakage in the list credentials API. Any user with a role on a project is able to list any credentials with the /v3/credentials API when enforce_scope is false. Users with a role on a project are able to view any other users' credentials, which could (for example) leak sign-on information for Time-based One Time Passwords (TOTP). Deployments with enforce_scope set to false are affected. (There will be a slight performance impact for the list credentials API once this issue is fixed.)

Language: Python

Severity Score

8.8

Related Resources (5)

Url: https://access.redhat.com/errata/RHSA-2019:4358

Url: https://review.opendev.org/#/c/697355/

Url: https://review.opendev.org/#/c/697731/

Url: https://nvd.nist.gov/vuln/detail/CVE-2019-19687

Url: https://www.whitesourcesoftware.com/vulnerability-database/CVE-2019-19687

Severity Score

8.8

Weakness Type (CWE)

Insufficiently Protected Credentials

CWE-522

Top Fix

Upgrade Version

No fix version available

CVSS v3.1

Base Score:	8.8
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	LOW
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	HIGH
Integrity (I):	HIGH
Availability (A):	HIGH

CVSS v2

Base Score:	3.5
Access Vector (AV):	NETWORK
Access Complexity (AC):	MEDIUM
Authentication (AU):	SINGLE
Confidentiality (C):	PARTIAL
Integrity (I):	NONE
Availability (A):	NONE
Additional information:

WhiteSource Vulnerability Database

We found results for “”

CVE-2019-19687

Good to know:

Date: December 19, 2019

Language: Python

Severity Score

Related Resources (5)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

CVSS v2

Do you need more information?