Privilege Escalation in OpenStack Identity by Mismanaged User and Group IDs
CVE-2014-0204

Currently unrated

Key Information:

Vendor: Openstack
Status: Keystone
Vendor: CVE Published:; 3 November 2014

Summary

In OpenStack Identity (Keystone) prior to version 2014.1.1, a vulnerability exists where roles assigned to groups can be exploited by remote authenticated users. This occurs when a group has the same ID as a user, allowing the user to gain unauthorized privileges associated with that group. This mismanagement of user and group identifiers can lead to significant security breaches if not adequately addressed.

References

https://bugs.launchpad.net/keystone/+bug/1309228

x_refsource_CONFIRM

https://review.openstack.org/#/c/94396/

x_refsource_CONFIRM

http://www.openwall.com/lists/oss-security/2014/05/21/3

mailing-listx_refsource_MLIST

Timeline

Vulnerability published
Nov 3, 2014
Vulnerability Reserved
Dec 3, 2013