Low severityNVD Advisory· Published Oct 1, 2013· Updated Apr 29, 2026
CVE-2013-2013
CVE-2013-2013
Description
The user-password-update command in python-keystoneclient before 0.2.4 accepts the new password in the --password argument, which allows local users to obtain sensitive information by listing the process.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
python-keystoneclientPyPI | < 0.2.4 | 0.2.4 |
Affected products
2cpe:2.3:a:openstack:python-keystoneclient:*:*:*:*:*:*:*:*+ 1 more
- cpe:2.3:a:openstack:python-keystoneclient:*:*:*:*:*:*:*:*range: <=0.2.3
- cpe:2.3:a:openstack:python-keystoneclient:0.2.2:*:*:*:*:*:*:*
Patches
1f2e0818bc97bAllow secure user password update.
2 files changed · +30 −3
keystoneclient/utils.py+22 −1 modified@@ -1,5 +1,7 @@ -import uuid +import getpass import hashlib +import sys +import uuid import prettytable @@ -128,3 +130,22 @@ def hash_signed_token(signed_text): hash_ = hashlib.md5() hash_.update(signed_text) return hash_.hexdigest() + + +def prompt_for_password(): + """ + Prompt user for password if not provided so the password + doesn't show up in the bash history. + """ + if not (hasattr(sys.stdin, 'isatty') and sys.stdin.isatty()): + # nothing to do + return + + while True: + try: + new_passwd = getpass.getpass('New Password: ') + rep_passwd = getpass.getpass('Repeat New Password: ') + if new_passwd == rep_passwd: + return new_passwd + except EOFError: + return
keystoneclient/v2_0/shell.py+8 −2 modified@@ -17,6 +17,7 @@ import argparse import getpass +import sys from keystoneclient.v2_0 import client from keystoneclient import utils @@ -103,14 +104,19 @@ def do_user_update(kc, args): print 'Unable to update user: %s' % e -@utils.arg('--pass', metavar='<password>', dest='passwd', required=True, +@utils.arg('--pass', metavar='<password>', dest='passwd', required=False, help='Desired new password') @utils.arg('user', metavar='<user>', help='Name or ID of user to update password') def do_user_password_update(kc, args): """Update user password""" user = utils.find_resource(kc.users, args.user) - kc.users.update_password(user, args.passwd) + new_passwd = args.passwd or utils.prompt_for_password() + if new_passwd is None: + msg = ("\nPlease specify password using the --pass option " + "or using the prompt") + sys.exit(msg) + kc.users.update_password(user, new_passwd) @utils.arg('--current-password', metavar='<current-password>',
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
7- www.openwall.com/lists/oss-security/2013/05/23/4nvdPatchWEB
- github.com/advisories/GHSA-8q2m-pwxf-jc7gghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2013-2013ghsaADVISORY
- bugs.launchpad.net/python-keystoneclient/+bug/938315nvdWEB
- github.com/openstack/python-keystoneclient/commit/f2e0818bc97bfbeba83f6abbb07909a8debcad77ghsaWEB
- github.com/pypa/advisory-database/tree/main/vulns/python-keystoneclient/PYSEC-2013-24.yamlghsaWEB
- oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A16937nvdWEB
News mentions
0No linked articles in our index yet.