Vulnerability in Openstack Grizzly

CVE-2013-4477

The LDAP backend in OpenStack Identity (Keystone) Grizzly and Havana, when removing a role on a tenant for a user who does not have that role, adds the role to the user, which allows local users to gain privileges.

EPSS: 0.002 (35.5th percentile) — read the EPSS interpretation.

Affected products

Openstack Grizzly
Openstack Havana
N/a — versions n/a

Weakness classification (CWE)

CWE-264

References

[oss-security] 20131030 [OSSA 2013-028] Unintentional role granting with Keystone LDAP backend (CVE-2013-4477) (mailing-list, x_refsource_MLIST, Patch)
USN-2034-1 (x_refsource_UBUNTU, vendor-advisory)
RHSA-2014:0113 (x_refsource_REDHAT, vendor-advisory)
secalert@redhat.com (x_refsource_CONFIRM, Exploit)