PT-2014-5370 · Openstack+1 · Openstack Identity+1
Jamie Lennox
+1
·
Published
2014-07-02
·
Updated
2023-02-13
·
CVE-2014-3520
CVSS v2.0
6.5
Medium
| Vector | AV:N/AC:L/Au:S/C:P/I:P/A:P |
Name of the Vulnerable Software and Affected Versions
OpenStack Identity (Keystone) versions before 2013.2.4
OpenStack Identity (Keystone) versions 2014.x before 2014.1.2
OpenStack Identity (Keystone) versions Juno before Juno-2
Description
The issue allows remote authenticated trustees to gain unauthorized access to a project for which the trustor has certain roles. This is achieved via the project ID in a V2 API trust token request.
Recommendations
For versions before 2013.2.4, update to version 2013.2.4 or later.
For versions 2014.x before 2014.1.2, update to version 2014.1.2 or later.
For versions Juno before Juno-2, update to Juno-2 or later.
Exploit
Fix
Incorrect Authorization
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Openstack Identity
Ubuntu