Privilege escalation in Openstack Keystone

CVE-2014-3476

OpenStack Identity (Keystone) before 2013.2.4, 2014.1 before 2014.1.2, and Juno before Juno-2 does not properly handle chained delegation, which allows remote authenticated users to gain privileges by leveraging a (1) trust or (2) OAuth to…

Vulnerability class: Privilege Escalation

EPSS: 0.007 (72.9th percentile) — read the EPSS interpretation.

Affected products

Openstack Keystone
Suse Cloud — versions 3
N/a — versions n/a

Weakness classification (CWE)

CWE-269 — Improper Privilege Management

References

SUSE-SU-2014:0848 (vendor-advisory, Mailing List, Third Party Advisory, x_refsource_SUSE)
59547 (x_refsource_SECUNIA, Third Party Advisory, third-party-advisory)
68026 (Third Party Advisory, VDB Entry, vdb-entry, x_refsource_BID)
secalert@redhat.com (x_refsource_CONFIRM, Exploit, Third Party Advisory, Issue Tracking)
57886 (x_refsource_SECUNIA, Third Party Advisory, third-party-advisory)
[oss-security] 20140612 [OSSA 2014-018] Keystone privilege escalation through trust chained delegation (CVE-2014-3476) (mailing-list, x_refsource_MLIST, Patch, Mailing List, Third Party Advisory)