Shardy

**Name of the Vulnerable Software and Affected Versions** OpenStack Identity (Keystone) versions before 2013.2.4 OpenStack Identity (Keystone) versions 2014.1 before 2014.1.2 OpenStack Identity (Keystone) versions Juno before Juno-2 **Description** The issue is related to the improper handling of chained delegation in OpenStack Identity (Keystone), allowing remote authenticated users to gain privileges. This can be achieved by leveraging a trust or an OAuth token with impersonation enabled to create a new token with additional roles. **Recommendations** For versions before 2013.2.4, update to version 2013.2.4 or later. For versions 2014.1 before 2014.1.2, update to version 2014.1.2 or later. For versions Juno before Juno-2, update to Juno-2 or later.

**Name of the Vulnerable Software and Affected Versions** OpenStack Identity (Keystone) versions before Havana 2013.2.1 OpenStack Identity (Keystone) versions before Icehouse icehouse-2 **Description** The issue concerns the ec2tokens API in OpenStack Identity (Keystone), where it fails to return a trust-scoped token when one is received. This allows remote trust users to gain privileges by generating EC2 credentials from a trust-scoped token and using them in an ec2tokens API request, such as the "/ec2tokens" API endpoint, with potentially vulnerable parameters like `trust id` or `token`. **Recommendations** For OpenStack Identity (Keystone) versions before Havana 2013.2.1, update to Havana 2013.2.1 or later to resolve the issue. For OpenStack Identity (Keystone) versions before Icehouse icehouse-2, update to Icehouse icehouse-2 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** OpenStack Orchestration API (Heat) versions prior to Havana 2013.2.1 OpenStack Orchestration API (Heat) versions prior to icehouse-2 **Description** The issue allows local in-instance users to bypass intended access restrictions. This can be achieved by creating a stack via the `CreateStack` method or updating a stack via the `UpdateStack` method. **Recommendations** For versions prior to Havana 2013.2.1, update to Havana 2013.2.1 or later to resolve the issue. For versions prior to icehouse-2, update to icehouse-2 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** OpenStack Orchestration API (Heat) versions before Havana 2013.2.1 OpenStack Orchestration API (Heat) versions before Icehouse icehouse-2 **Description** The issue allows remote authenticated users to bypass tenant scoping restrictions. This is achieved by modifying the `tenant id` in the request path of the ReST API. **Recommendations** For versions before Havana 2013.2.1, update to Havana 2013.2.1 or later to resolve the issue. For versions before Icehouse icehouse-2, update to Icehouse icehouse-2 or later to resolve the issue. As a temporary workaround, consider restricting access to the ReST API to minimize the risk of exploitation.