CVE-2014-3520

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2014-3520
OpenStack Identity (Keystone) before 2013.2.4, 2014.x before 2014.1.2, and Juno before Juno-2 allows remote authenticated trustees to gain access to an unauthorized project for which the trustor has certain roles via the project ID in a V2 API trust token request.

6.5 /10

CVSS v2.0 : MEDIUM

V2 Legend

Vector : AV:N/AC:L/Au:S/C:P/I:P/A:P

Exploitability : 8.0 / Impact : 6.4

Access Vector NETWORK

Access Complexity LOW

Authentication SINGLE

Confidentiality Impact PARTIAL

Integrity Impact PARTIAL

Availability Impact PARTIAL

References
Link Resource
http://lists.openstack.org/pipermail/openstack-announce/2014-July/000248.html Patch Vendor Advisory
http://secunia.com/advisories/59426 Third Party Advisory
https://bugs.launchpad.net/keystone/+bug/1331912 Exploit Issue Tracking Third Party Advisory
Configurations

Configuration 1 (hide)

OR cpe:2.3:a:openstack:keystone:*:*:*:*:*:*:*:*
cpe:2.3:a:openstack:keystone:*:*:*:*:*:*:*:*
History

13 Feb 2023, 00:40

Type Values Removed Values Added
References
  • {'url': 'https://access.redhat.com/security/cve/CVE-2014-3520', 'name': 'https://access.redhat.com/security/cve/CVE-2014-3520', 'tags': [], 'refsource': 'MISC'}
  • {'url': 'https://bugzilla.redhat.com/show_bug.cgi?id=1112668', 'name': 'https://bugzilla.redhat.com/show_bug.cgi?id=1112668', 'tags': [], 'refsource': 'MISC'}
  • {'url': 'https://access.redhat.com/errata/RHSA-2014:0994', 'name': 'https://access.redhat.com/errata/RHSA-2014:0994', 'tags': [], 'refsource': 'MISC'}
Summary A flaw was found in the way keystone handled trusts. A trustee could use an out-of-scope project ID to gain unauthorized access to a project if the trustor had the required roles for that requested project. OpenStack Identity (Keystone) before 2013.2.4, 2014.x before 2014.1.2, and Juno before Juno-2 allows remote authenticated trustees to gain access to an unauthorized project for which the trustor has certain roles via the project ID in a V2 API trust token request.

02 Feb 2023, 20:17

Type Values Removed Values Added
Summary OpenStack Identity (Keystone) before 2013.2.4, 2014.x before 2014.1.2, and Juno before Juno-2 allows remote authenticated trustees to gain access to an unauthorized project for which the trustor has certain roles via the project ID in a V2 API trust token request. A flaw was found in the way keystone handled trusts. A trustee could use an out-of-scope project ID to gain unauthorized access to a project if the trustor had the required roles for that requested project.
References
  • (MISC) https://access.redhat.com/security/cve/CVE-2014-3520 -
  • (MISC) https://bugzilla.redhat.com/show_bug.cgi?id=1112668 -
  • (MISC) https://access.redhat.com/errata/RHSA-2014:0994 -
Information

Published : 2014-10-26 20:55

Updated : 2023-12-10 11:31

NVD link : CVE-2014-3520

Mitre link : CVE-2014-3520

CVE.ORG link : CVE-2014-3520

JSON object : View

Products Affected

openstack

  • keystone
CWE
CWE-863

Incorrect Authorization