CVE-2019-19687

Name of the Vulnerable Software and Affected Versions OpenStack Keystone versions 15.0.0 through 16.0.0

Description The issue allows any user with a role on a project to list any credentials using the "/v3/credentials" API endpoint when enforce scope is false. This could lead to data leakage, including sign-on information for Time-based One Time Passwords (TOTP), as users with a role on a project can view any other users' credentials. Deployments with enforce scope set to false are affected.

Recommendations For OpenStack Keystone versions 15.0.0 through 16.0.0, consider setting enforce scope to true to mitigate the risk of data leakage. As a temporary workaround, restrict access to the "/v3/credentials" API endpoint to minimize the risk of exploitation.