Auth bypass in Openstack Keystone

CVE-2014-3520

OpenStack Identity (Keystone) before 2013.2.4, 2014.x before 2014.1.2, and Juno before Juno-2 allows remote authenticated trustees to gain access to an unauthorized project for which the trustor has certain roles via the project ID in a V2…

Vulnerability class: Broken Access Control

EPSS: 0.004 (62.8th percentile) — read the EPSS interpretation.

Affected products

Openstack Keystone
N/a — versions n/a

Weakness classification (CWE)

CWE-863 — Incorrect Authorization

References

secalert@redhat.com (x_refsource_CONFIRM, Exploit, Third Party Advisory, Issue Tracking)
[openstack-announce] 20140702 [OSSA 2014-022] Keystone V2 trusts privilege escalation through user supplied project id (CVE-2014-3520) (Vendor Advisory, mailing-list, x_refsource_MLIST, Patch)
59426 (x_refsource_SECUNIA, Third Party Advisory, third-party-advisory)