Privilege Escalation in OpenStack Identity (Keystone) by Unauthorized Project Access
CVE-2014-3520

Currently unrated

Key Information:

Vendor: Openstack
Status: Keystone
Vendor: CVE Published:; 26 October 2014

Summary

A vulnerability in OpenStack Identity (Keystone) allows remote authenticated users to exploit trust relationships. By manipulating the project ID in a V2 API trust token request, attackers can gain access to unauthorized projects for which the trustor has specific roles. This could potentially lead to unauthorized resource access and compromise of sensitive data.

References

https://bugs.launchpad.net/keystone/+bug/1331912

x_refsource_CONFIRM

http://lists.openstack.org/pipermail/openstack-announce/2...

mailing-listx_refsource_MLIST

http://secunia.com/advisories/59426

third-party-advisoryx_refsource_SECUNIA

Timeline

Vulnerability published
Oct 26, 2014
Vulnerability Reserved
May 14, 2014