Django REST framework

Lookup for vulnerabilities affecting packages.

Vulnerability_id VCID-91yw-81v7-jbay

Summary OpenStack Keystone 15.0.0 and 16.0.0 is affected by Data Leakage in the list credentials API. Any user with a role on a project is able to list any credentials with the /v3/credentials API when enforce_scope is false. Users with a role on a project are able to view any other users' credentials, which could (for example) leak sign-on information for Time-based One Time Passwords (TOTP). Deployments with enforce_scope set to false are affected. (There will be a slight performance impact for the list credentials API once this issue is fixed.)

Aliases

alias	CVE-2019-19687

alias	PYSEC-2019-29

Fixed_packages

url	pkg:pypi/keystone@16.0.1
purl	pkg:pypi/keystone@16.0.1
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:pypi/keystone@16.0.1

Affected_packages

url pkg:pypi/keystone@12.0.2

purl pkg:pypi/keystone@12.0.2

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-72xb-qu9g-wufj

vulnerability	VCID-91yw-81v7-jbay

vulnerability	VCID-kd2c-53va-qbcg

vulnerability	VCID-u4kn-nadh-wqbk

vulnerability	VCID-vr3n-ae3v-mqgz

vulnerability	VCID-zvfa-f3nf-gqh8

resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/keystone@12.0.2

url pkg:pypi/keystone@12.0.3

purl pkg:pypi/keystone@12.0.3

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-72xb-qu9g-wufj

vulnerability	VCID-91yw-81v7-jbay

vulnerability	VCID-kd2c-53va-qbcg

vulnerability	VCID-u4kn-nadh-wqbk

vulnerability	VCID-vr3n-ae3v-mqgz

vulnerability	VCID-zvfa-f3nf-gqh8

resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/keystone@12.0.3

url pkg:pypi/keystone@13.0.2

purl pkg:pypi/keystone@13.0.2

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-72xb-qu9g-wufj

vulnerability	VCID-91yw-81v7-jbay

vulnerability	VCID-kd2c-53va-qbcg

vulnerability	VCID-u4kn-nadh-wqbk

vulnerability	VCID-vr3n-ae3v-mqgz

vulnerability	VCID-zvfa-f3nf-gqh8

resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/keystone@13.0.2

url pkg:pypi/keystone@13.0.3

purl pkg:pypi/keystone@13.0.3

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-72xb-qu9g-wufj

vulnerability	VCID-91yw-81v7-jbay

vulnerability	VCID-kd2c-53va-qbcg

vulnerability	VCID-u4kn-nadh-wqbk

vulnerability	VCID-vr3n-ae3v-mqgz

vulnerability	VCID-zvfa-f3nf-gqh8

resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/keystone@13.0.3

url pkg:pypi/keystone@13.0.4

purl pkg:pypi/keystone@13.0.4

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-72xb-qu9g-wufj

vulnerability	VCID-91yw-81v7-jbay

vulnerability	VCID-kd2c-53va-qbcg

vulnerability	VCID-u4kn-nadh-wqbk

vulnerability	VCID-vr3n-ae3v-mqgz

vulnerability	VCID-zvfa-f3nf-gqh8

resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/keystone@13.0.4

url pkg:pypi/keystone@14.0.0

purl pkg:pypi/keystone@14.0.0

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-72xb-qu9g-wufj

vulnerability	VCID-91yw-81v7-jbay

vulnerability	VCID-kd2c-53va-qbcg

vulnerability	VCID-u4kn-nadh-wqbk

vulnerability	VCID-vr3n-ae3v-mqgz

vulnerability	VCID-zvfa-f3nf-gqh8

resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/keystone@14.0.0

url pkg:pypi/keystone@14.0.1

purl pkg:pypi/keystone@14.0.1

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-72xb-qu9g-wufj

vulnerability	VCID-91yw-81v7-jbay

vulnerability	VCID-kd2c-53va-qbcg

vulnerability	VCID-u4kn-nadh-wqbk

vulnerability	VCID-vr3n-ae3v-mqgz

vulnerability	VCID-zvfa-f3nf-gqh8

resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/keystone@14.0.1

url pkg:pypi/keystone@14.1.0

purl pkg:pypi/keystone@14.1.0

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-72xb-qu9g-wufj

vulnerability	VCID-91yw-81v7-jbay

vulnerability	VCID-kd2c-53va-qbcg

vulnerability	VCID-u4kn-nadh-wqbk

vulnerability	VCID-vr3n-ae3v-mqgz

resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/keystone@14.1.0

url pkg:pypi/keystone@14.2.0

purl pkg:pypi/keystone@14.2.0

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-72xb-qu9g-wufj

vulnerability	VCID-91yw-81v7-jbay

vulnerability	VCID-kd2c-53va-qbcg

vulnerability	VCID-u4kn-nadh-wqbk

vulnerability	VCID-vr3n-ae3v-mqgz

resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/keystone@14.2.0

url pkg:pypi/keystone@15.0.0.0rc1

purl pkg:pypi/keystone@15.0.0.0rc1

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-72xb-qu9g-wufj

vulnerability	VCID-91yw-81v7-jbay

vulnerability	VCID-kd2c-53va-qbcg

vulnerability	VCID-u4kn-nadh-wqbk

vulnerability	VCID-vr3n-ae3v-mqgz

resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/keystone@15.0.0.0rc1

url pkg:pypi/keystone@15.0.0.0rc2

purl pkg:pypi/keystone@15.0.0.0rc2

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-72xb-qu9g-wufj

vulnerability	VCID-91yw-81v7-jbay

vulnerability	VCID-kd2c-53va-qbcg

vulnerability	VCID-u4kn-nadh-wqbk

vulnerability	VCID-vr3n-ae3v-mqgz

resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/keystone@15.0.0.0rc2

url pkg:pypi/keystone@15.0.0

purl pkg:pypi/keystone@15.0.0

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-72xb-qu9g-wufj

vulnerability	VCID-91yw-81v7-jbay

vulnerability	VCID-kd2c-53va-qbcg

vulnerability	VCID-u4kn-nadh-wqbk

vulnerability	VCID-vr3n-ae3v-mqgz

resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/keystone@15.0.0

url pkg:pypi/keystone@15.0.1

purl pkg:pypi/keystone@15.0.1

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-91yw-81v7-jbay

resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/keystone@15.0.1

url pkg:pypi/keystone@16.0.0.0rc1

purl pkg:pypi/keystone@16.0.0.0rc1

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-91yw-81v7-jbay

resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/keystone@16.0.0.0rc1

url pkg:pypi/keystone@16.0.0.0rc2

purl pkg:pypi/keystone@16.0.0.0rc2

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-91yw-81v7-jbay

resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/keystone@16.0.0.0rc2

url pkg:pypi/keystone@16.0.0

purl pkg:pypi/keystone@16.0.0

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-91yw-81v7-jbay

resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/keystone@16.0.0

References

reference_url	https://access.redhat.com/errata/RHSA-2019:4358
reference_id
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2019:4358

reference_url	https://bugs.launchpad.net/keystone/+bug/1855080
reference_id
reference_type
scores
url	https://bugs.launchpad.net/keystone/+bug/1855080

reference_url	https://review.opendev.org/#/c/697355/
reference_id
reference_type
scores
url	https://review.opendev.org/#/c/697355/

reference_url	https://review.opendev.org/#/c/697611/
reference_id
reference_type
scores
url	https://review.opendev.org/#/c/697611/

reference_url	https://review.opendev.org/#/c/697731/
reference_id
reference_type
scores
url	https://review.opendev.org/#/c/697731/

reference_url	https://security.openstack.org/ossa/OSSA-2019-006.html
reference_id
reference_type
scores
url	https://security.openstack.org/ossa/OSSA-2019-006.html

reference_url	https://usn.ubuntu.com/4262-1/
reference_id
reference_type
scores
url	https://usn.ubuntu.com/4262-1/

reference_url	http://www.openwall.com/lists/oss-security/2019/12/11/8
reference_id
reference_type
scores
url	http://www.openwall.com/lists/oss-security/2019/12/11/8

Weaknesses

Exploits

Severity_range_score null

Exploitability null

Weighted_severity null

Risk_score null

Resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-91yw-81v7-jbay

Vulnerability Instance