oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

CVE-2013-2013 - OpenStack keystone password disclosure on command line

From: Kurt Seifried <kseifried () redhat com>
Date: Fri, 26 Apr 2013 00:28:28 -0600
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

While auditing OpenStack bugs for flaws needing CVE's I came across
this (as of yet unfixed) one:

https://bugs.launchpad.net/python-keystoneclient/+bug/938315

[root@rhos ~]# keystone user-password-update --user=jake
usage: keystone user-password-update --pass <password> <user-id>
keystone user-password-update: error: too few arguments

This class of vuln typically gets a CVE.

http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=command+line+password

CVE text:

OpenStack keystone places a username and password on the command line,
which allows local users to obtain credentials by listing the process.

Please use CVE-2013-2013 for this issue.


- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (GNU/Linux)

iQIcBAEBAgAGBQJReh6MAAoJEBYNRVNeJnmTOwMQALncWYbJlDodfKDEbQdqE8aW
JrnFGx+Jm2D8UCUlTIObKbjhhk1Puacc9M9VhQ+Z9/sKuXeP8NwEhVqz8vm1nXul
p7jqPi9DN83+Mg3KGBIATvNFwQb5y0k4GXiOBMuPSew5nfljK8M8PG5VaZ9maBRW
sEmrBUfse1/cnXK/CkHwzT2wbxFZ7z54NHW4cB8CNyF34Wg1saZqAnImJshuVbcF
nPo2TbI6GrpoNzPoBhuWeB2bp48NfZlznL5agTgjLFodpms9qr/cWxpbYlYXlYeV
ENZCpR5ABNvLCxiREE31+0a9q3N7Vi8hpws1ErWKx4HAlsH0cmoqsypvNUIJckhG
Z8UCxOfzpO4QwE2vSQDzz1tpCRyBeWX2USoMqKqIJ2LxbkQCQJROkQ9GMZLvtocL
emLHivjO24tqf+EQAmh6rO5MH2S4kPIQS8x7/tIFoWn+OA1IAUqI2zjSDdLXpiOQ
xwFJ4hVgmEPKOOWEwMhJpLAuwS+m5L9VEo75tFjUKM8OyJB4omtibrqKkoW6sV41
uTiqH9htSuaOwhSqg/Rq0qy/OgOuftQOGBFF9eWsI2ydGZzqUggA7B8B0NBuY7aD
43z8RBCvKeDBpbSZQTBFaoMbeNTNLK4WsdY8zqY1JDDJHby6B3g3ETIKy/KA/4Oc
YmObot4YI6Lo4BOu63U7
=TdT1
-----END PGP SIGNATURE-----
Previous By Date Next
Previous By Thread Next

Current thread: