CVE-2014-0105

Name of the Vulnerable Software and Affected Versions python-keystoneclient versions prior to 0.7.0

Description A context confusion issue exists in the Keystone auth token middleware, allowing remote authenticated users to potentially gain privileges under certain circumstances. This is related to a bad interaction between eventlet and python-memcached. By making repeated requests with sufficient load on the target system, an authenticated user may assume another authenticated user's complete identity and multi-tenant authorizations, potentially resulting in privilege escalation. This issue affects keystone middleware setups using auth token with memcache.

Recommendations For versions prior to 0.7.0, update to version 0.7.0 or later to resolve the issue. As a temporary workaround, consider avoiding the use of memcache with the auth token middleware or restricting the load on the target system to minimize the risk of exploitation.