OSSA-2014-022: Keystone V2 trusts privilege escalation through user supplied

OSSA-2014-022: Keystone V2 trusts privilege escalation through user supplied¶

Date:: July 02, 2014
CVE:: CVE-2014-3520

Affects¶

Keystone: up to 2013.2.3, and 2014.1 to 2014.1.1

Description¶

Jamie Lennox from Red Hat reported a vulnerability in Keystone trusts. By using an out of scope project id, a trustee may gain unauthorized access if the trustor has the required roles in the requested project id. All Keystone deployments configured to enable trusts and V2 API are affected.

Patches¶

https://review.openstack.org/#/c/104218 (Havana)
https://review.openstack.org/#/c/104217 (Icehouse)
https://review.openstack.org/#/c/104216 (Juno)

Credits¶

Jamie Lennox from Red Hat (CVE-2014-3520)

References¶

this page last updated: 2024-03-18 15:52:07

Creative Commons Attribution 3.0 License

Except where otherwise noted, this document is licensed under Creative Commons Attribution 3.0 License. See all OpenStack Legal Documents.