Boris Bobrov

**Name of the Vulnerable Software and Affected Versions** OpenStack Keystone versions prior to 29.0.2 **Description** The application credential authentication plugin fails to verify if the user provided in the authentication request is the actual owner of the application credential. An attacker can use their own application credential ID and secret while specifying a different user's name and domain in the request body. This results in the issuance of a project-scoped token attributed to the victim user, containing the intersection of the application credential's roles and the victim's roles within the project. This flaw allows for audit evasion, access to the victim's credentials, and the ability to act as the victim in shared projects. **Recommendations** Update to version 29.0.2.

**Name of the Vulnerable Software and Affected Versions** OpenStack Keystone versions 14.0.0 through 29.0.1 **Description** The RBAC policy enforcer in the `enforce call()` function unconditionally merges the raw JSON request body into the policy enforcement dictionary using `policy dict.update(json input.copy())`. This process overwrites trusted target data previously retrieved from database lookups. Since `flask.request.get json` is executed with `force=True`, the merge occurs regardless of the HTTP method or Content-Type. Consequently, an authenticated user can inject arbitrary policy target attributes, such as `user id` or `project id`, into the request body to bypass Role-Based Access Control (RBAC) checks and perform unauthorized operations on resources belonging to other users or projects. **Recommendations** Update to version 29.0.2.

**Name of the Vulnerable Software and Affected Versions** OpenStack Keystone versions prior to 29.0.2 **Description** A privilege escalation issue exists where an attacker with a member role on a project can escalate their privileges to admin. This is achieved by chaining unrestricted application credentials with Keystone trusts in conjunction with an application credential impersonation flaw. The impersonated token uses the victim's identity to pass the trustor validation check. Keystone then validates delegated roles against the victim's actual role assignments in the database rather than the roles on the requesting token, allowing the attacker to create a trust that delegates the victim's admin role to themselves. This trust persists independently, enabling the creation of further trusts and application credentials to maintain access, with all actions logged under the victim's identity. **Recommendations** Update to version 29.0.2 or later.

**Name of the Vulnerable Software and Affected Versions** OpenStack Identity service (keystone) (affected versions not specified) **Description** An authorization-check flaw was discovered in federation configurations of the OpenStack Identity service. This issue allows an authenticated federated user to request permissions to a project and unintentionally be granted all related roles, including administrative roles. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.