CVE-2014-3520

Severity

60%

Complexity

68%

Confidentiality

106%

OpenStack Identity (Keystone) before 2013.2.4, 2014.x before 2014.1.2, and Juno before Juno-2 allows remote authenticated trustees to gain access to an unauthorized project for which the trustor has certain roles via the project ID in a V2 API trust token request.

OpenStack Identity (Keystone) before 2013.2.4, 2014.x before 2014.1.2, and Juno before Juno-2 allows remote authenticated trustees to gain access to an unauthorized project for which the trustor has certain roles via the project ID in a V2 API trust token request.

CVSS 2.0 Base Score 6. CVSS Attack Vector: network. CVSS Attack Complexity: medium. CVSS Vector: (AV:N/AC:M/Au:S/C:P/I:P/A:P).

Overview

First reported 10 years ago

2014-10-26 20:55:00

Last updated 10 years ago

2014-10-28 13:29:00

Affected Software

OpenStack Keystone 2013.2

2013.2

OpenStack Keystone 2013.2.1

2013.2.1

OpenStack Keystone 2013.2.2

2013.2.2

OpenStack Keystone

OpenStack Keystone 2014.1

2014.1

References

[openstack-announce] 20140702 [OSSA 2014-022] Keystone V2 trusts privilege escalation through user supplied project id (CVE-2014-3520)

Patch, Vendor Advisory

59426

https://bugs.launchpad.net/keystone/+bug/1331912

Stay updated

ExploitPedia is constantly evolving. Sign up to receive a notification when we release additional functionality.

Get in touch

If you'd like to report a bug or have any suggestions for improvements then please do get in touch with us using this form. We will get back to you as soon as we can.