CVE-2019-10138: Improper Access Control in novajoin

March 12, 2020 (updated September 26, 2024)

A flaw was discovered in the python-novajoin plugin, all versions up to, excluding 1.1.1, for Red Hat OpenStack Platform. The novajoin API lacked sufficient access control, allowing any keystone authenticated user to generate FreeIPA tokens.

References

bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10138
github.com/advisories/GHSA-xf8c-3cgx-fcwm
github.com/openstack-archive/novajoin
github.com/pypa/advisory-database/tree/main/vulns/novajoin/PYSEC-2019-192.yaml
nvd.nist.gov/vuln/detail/CVE-2019-10138
review.opendev.org/

Detect and mitigate CVE-2019-10138 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →