Lucene search

SuseCVELIST:CVE-2019-3683

HistoryFeb 18, 2019 - 12:00 a.m.

CVE-2019-3683 keystone_json_assignment backend granted access to any project for users in user-project-map.json

2019-02-1800:00:00

CWE-732

suse

www.cve.org

8.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

8.7 High

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

37.1%

JSON

The keystone-json-assignment package in SUSE Openstack Cloud 8 before commit d7888c75505465490250c00cc0ef4bb1af662f9f every user listed in the /etc/keystone/user-project-map.json was assigned full “member” role access to every project. This allowed these users to access, modify, create and delete arbitrary resources, contrary to expectations.

CNA Affected

[
  {
    "product": "SUSE Openstack Cloud 8",
    "vendor": "SUSE",
    "versions": [
      {
        "lessThan": "d7888c75505465490250c00cc0ef4bb1af662f9f",
        "status": "affected",
        "version": "keystone-json-assignment",
        "versionType": "custom"
      }
    ]
  }
]

References

bugzilla.suse.com/show_bug.cgi?id=1124864

8.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

8.7 High

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

37.1%

JSON

Related for CVELIST:CVE-2019-3683