OSSA-2017-004: Incorrect role assignment with federated Keystone

Date:April 25, 2017


  • Keystone: >=10.0.0 <=10.0.1, ==11.0.0


Boris Bobrov from Mail.Ru reported a vulnerability in Keystone Federation. An authenticated user may receive all the roles assigned to the user’s project regardless of the federation mapping when there are rules in which group-based assignments are not used. For example, by requesting an admin user to get a role in their project, the user may be granted the admin privileges for new scoped tokens. All setups using the Keystone federation without group based assignments rules are affected.


  • Boris Bobrov from Mail.Ru (CVE-2017-2673)