Lucene search

[email protected]CVE-2014-3520

HistoryOct 26, 2014 - 8:55 p.m.

CVE-2014-3520

2014-10-2620:55:02

CWE-863

[email protected]

web.nvd.nist.gov

cve-2014-3520

openstack identity

keystone

remote access

unauthorized project

trustee

api

security vulnerability

6.5 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:S/C:P/I:P/A:P

6.4 Medium

AI Score

Confidence

Low

0.006 Low

EPSS

Percentile

78.0%

JSON

OpenStack Identity (Keystone) before 2013.2.4, 2014.x before 2014.1.2, and Juno before Juno-2 allows remote authenticated trustees to gain access to an unauthorized project for which the trustor has certain roles via the project ID in a V2 API trust token request.

Affected configurations

NVD

Node

openstackkeystoneRange2013.2–2013.2.4

openstackkeystoneRange2014.1–2014.1.2

CPENameOperatorVersion
openstack:keystoneopenstack keystonelt2013.2.4
openstack:keystoneopenstack keystonelt2014.1.2

CPE	Name	Operator	Version
openstack:keystone	openstack keystone	lt	2013.2.4
openstack:keystone	openstack keystone	lt	2014.1.2

References

lists.openstack.org/pipermail/openstack-announce/2014-July/000248.html

secunia.com/advisories/59426

bugs.launchpad.net/keystone/+bug/1331912

6.5 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:S/C:P/I:P/A:P

6.4 Medium

AI Score

Confidence

Low

0.006 Low

EPSS

Percentile

78.0%

JSON

Related for CVE-2014-3520

nvd1 nessus3 ibm1 veracode1 cvelist1 ubuntucve1 debiancve1 prion1 redhat1 openvas2 ubuntu1 securityvulns1 fedora1