Name of the Vulnerable Software and Affected Versions OpenStack Keystone versions 15.0.0 through 16.0.0

Description The issue allows any user with a role on a project to list any credentials using the /v3/credentials API endpoint when enforce scope is set to false. This could lead to data leakage, including sign-on information for Time-based One Time Passwords (TOTP), as users with a role on a project can view any other users' credentials.

Recommendations For OpenStack Keystone versions 15.0.0 through 16.0.0, set enforce scope to true to mitigate the issue. As a temporary workaround, consider restricting access to the /v3/credentials API endpoint until the issue is resolved.