keystone_json_assignment backend granted access to any project for users in user-project-map.json
CVE-2019-3683

8.8HIGH

Key Information:

Vendor: Suse
Status: Suse Openstack Cloud 8
Vendor: CVE Published:; 17 January 2020

Summary

The keystone-json-assignment package in SUSE Openstack Cloud 8 before commit d7888c75505465490250c00cc0ef4bb1af662f9f every user listed in the /etc/keystone/user-project-map.json was assigned full "member" role access to every project. This allowed these users to access, modify, create and delete arbitrary resources, contrary to expectations.

Affected Version(s)

SUSE Openstack Cloud 8 keystone-json-assignment

References

https://bugzilla.suse.com/show_bug.cgi?id=1124864

x_refsource_CONFIRM

CVSS V3.1

Score:

8.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Jan 17, 2020
Vulnerability Reserved
Jan 3, 2019

Credit

Kurt Garloff by SUSE