Another month passes and again I’ve been struck by boredom - that’s never a good thing! ;)

This time I had a small adventure with OpenStack Keystone which lead me to the discovery of CVE-2019-19687 / OSSA-2019-006.

While the previous CVE that I posted here implied certain preconditions to apply to elevate or disclose information, this one does not.

This issue affects any OpenStack installation running Ussuri, Train or Stein.

As an average joe (unprivileged but authenticated user) you can list and retrieve the MFA credentials (such as TOTP secrets) of any and every user with a simple GET request towards /v3/credentials.

If you run OpenStack and deployed MFA like TOTP you will need to update ASAP.

I’d like to thank the OpenStack Vulnerability Management Team for their prompt actions and guidelines in the process as well as the OpenStack Keystone Team for their extraordinary fast patches.