Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list]
Date: Wed, 02 Jul 2014 13:43:06 -0400
From: Tristan Cacqueray <tristan.cacqueray@...vance.com>
To: oss-security@...ts.openwall.com
Subject: [OSSA 2014-022] Keystone V2 trusts privilege escalation through user
 supplied project id (CVE-2014-3520)

OpenStack Security Advisory: 2014-022
CVE: CVE-2014-3520
Date: July 02, 2014
Title: Keystone V2 trusts privilege escalation through user supplied
       project id
Reporter: Jamie Lennox (Red Hat)
Products: Keystone
Versions: up to 2013.2.3, and 2014.1 to 2014.1.1

Description:
Jamie Lennox from Red Hat reported a vulnerability in Keystone trusts.
By using an out of scope project id, a trustee may gain unauthorized
access if the trustor has the required roles in the requested project
id. All Keystone deployments configured to enable trusts and V2 API are
affected.

Juno (development branch) fix:
https://review.openstack.org/104216

Icehouse fix:
https://review.openstack.org/104217

Havana fix:
https://review.openstack.org/104218

Notes:
This fix will be included in the Juno-2 development milestone and in
future 2013.2.4 and 2014.1.2 releases.

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3520
https://launchpad.net/bugs/1331912

--ยท
Tristan Cacqueray
OpenStack Vulnerability Management Team




Download attachment "signature.asc" of type "application/pgp-signature" (539 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.