Date: Wed, 02 Jul 2014 13:43:06 -0400 From: Tristan Cacqueray <tristan.cacqueray@...vance.com> To: oss-security@...ts.openwall.com Subject: [OSSA 2014-022] Keystone V2 trusts privilege escalation through user supplied project id (CVE-2014-3520) OpenStack Security Advisory: 2014-022 CVE: CVE-2014-3520 Date: July 02, 2014 Title: Keystone V2 trusts privilege escalation through user supplied project id Reporter: Jamie Lennox (Red Hat) Products: Keystone Versions: up to 2013.2.3, and 2014.1 to 2014.1.1 Description: Jamie Lennox from Red Hat reported a vulnerability in Keystone trusts. By using an out of scope project id, a trustee may gain unauthorized access if the trustor has the required roles in the requested project id. All Keystone deployments configured to enable trusts and V2 API are affected. Juno (development branch) fix: https://review.openstack.org/104216 Icehouse fix: https://review.openstack.org/104217 Havana fix: https://review.openstack.org/104218 Notes: This fix will be included in the Juno-2 development milestone and in future 2013.2.4 and 2014.1.2 releases. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3520 https://launchpad.net/bugs/1331912 --· Tristan Cacqueray OpenStack Vulnerability Management Team Download attachment "signature.asc" of type "application/pgp-signature" (539 bytes)
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ