OSSA-2014-022: Keystone V2 trusts privilege escalation through user supplied

OSSA-2014-022: Keystone V2 trusts privilege escalation through user supplied

Date

July 02, 2014

CVE

CVE-2014-3520

Affects

  • Keystone: up to 2013.2.3, and 2014.1 to 2014.1.1

Description

Jamie Lennox from Red Hat reported a vulnerability in Keystone trusts. By using an out of scope project id, a trustee may gain unauthorized access if the trustor has the required roles in the requested project id. All Keystone deployments configured to enable trusts and V2 API are affected.

Credits

  • Jamie Lennox from Red Hat (CVE-2014-3520)

Creative Commons Attribution 3.0 License

Except where otherwise noted, this document is licensed under Creative Commons Attribution 3.0 License. See all OpenStack Legal Documents.