Lucene search

GitHub Advisory DatabaseGHSA-C4P9-87H3-7VR4

HistoryMay 13, 2022 - 1:26 a.m.

OpenStack Identity Keystone Improper Privilege Management

2022-05-1301:26:10

CWE-269

GitHub Advisory Database

github.com

openstack

identity

keystone

privilege

management

2014.1.1

role

group

user

CVSS2

6.5

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:S/C:P/I:P/A:P

AI Score

7.1

Confidence

Low

EPSS

0.003

Percentile

71.0%

JSON

OpenStack Identity (Keystone) before 2014.1.1 does not properly handle when a role is assigned to a group that has the same ID as a user, which allows remote authenticated users to gain privileges that are assigned to a group with the same ID.

Affected configurations

Vulners

Node

keystonekeystoneRange<8.0.0a0

VendorProductVersionCPE
keystonekeystone*cpe:2.3:a:keystone:keystone:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
keystone	keystone	*	cpe:2.3:a:keystone:keystone::::::::

References

www.openwall.com/lists/oss-security/2014/05/21/3

bugs.launchpad.net/keystone/+bug/1309228

github.com/advisories/GHSA-c4p9-87h3-7vr4

github.com/openstack/keystone/commit/729dcad7384ba66ee7494154969cdd7ae90d86ee

github.com/openstack/keystone/commit/786af9829c5329a982e3451f77afebbfb21850bd

github.com/openstack/keystone/commit/97dfd55ad1b40365754dcbfce856f7ffae280a44

github.com/openstack/keystone/commit/f0eee2f3b48dd0cffb9f75e396da2d914925cba5

nvd.nist.gov/vuln/detail/CVE-2014-0204

review.openstack.org/#/c/94396

CVSS2

6.5

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:S/C:P/I:P/A:P

AI Score

7.1

Confidence

Low

EPSS

0.003

Percentile

71.0%

JSON

Related for GHSA-C4P9-87H3-7VR4