oss-sec mailing list archives
CVE-2013-2013 - OpenStack keystone password disclosure on command line
From: Kurt Seifried <kseifried () redhat com>
Date: Fri, 26 Apr 2013 00:28:28 -0600
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 While auditing OpenStack bugs for flaws needing CVE's I came across this (as of yet unfixed) one: https://bugs.launchpad.net/python-keystoneclient/+bug/938315 [root@rhos ~]# keystone user-password-update --user=jake usage: keystone user-password-update --pass <password> <user-id> keystone user-password-update: error: too few arguments This class of vuln typically gets a CVE. http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=command+line+password CVE text: OpenStack keystone places a username and password on the command line, which allows local users to obtain credentials by listing the process. Please use CVE-2013-2013 for this issue. - -- Kurt Seifried Red Hat Security Response Team (SRT) PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.13 (GNU/Linux) iQIcBAEBAgAGBQJReh6MAAoJEBYNRVNeJnmTOwMQALncWYbJlDodfKDEbQdqE8aW JrnFGx+Jm2D8UCUlTIObKbjhhk1Puacc9M9VhQ+Z9/sKuXeP8NwEhVqz8vm1nXul p7jqPi9DN83+Mg3KGBIATvNFwQb5y0k4GXiOBMuPSew5nfljK8M8PG5VaZ9maBRW sEmrBUfse1/cnXK/CkHwzT2wbxFZ7z54NHW4cB8CNyF34Wg1saZqAnImJshuVbcF nPo2TbI6GrpoNzPoBhuWeB2bp48NfZlznL5agTgjLFodpms9qr/cWxpbYlYXlYeV ENZCpR5ABNvLCxiREE31+0a9q3N7Vi8hpws1ErWKx4HAlsH0cmoqsypvNUIJckhG Z8UCxOfzpO4QwE2vSQDzz1tpCRyBeWX2USoMqKqIJ2LxbkQCQJROkQ9GMZLvtocL emLHivjO24tqf+EQAmh6rO5MH2S4kPIQS8x7/tIFoWn+OA1IAUqI2zjSDdLXpiOQ xwFJ4hVgmEPKOOWEwMhJpLAuwS+m5L9VEo75tFjUKM8OyJB4omtibrqKkoW6sV41 uTiqH9htSuaOwhSqg/Rq0qy/OgOuftQOGBFF9eWsI2ydGZzqUggA7B8B0NBuY7aD 43z8RBCvKeDBpbSZQTBFaoMbeNTNLK4WsdY8zqY1JDDJHby6B3g3ETIKy/KA/4Oc YmObot4YI6Lo4BOu63U7 =TdT1 -----END PGP SIGNATURE-----
Current thread:
- CVE-2013-2013 - OpenStack keystone password disclosure on command line Kurt Seifried (Apr 25)