Vulnerability in Keystone affects IBM SmartCloud Orchestrator (CVE-2014-3520).
Keystone V2 trusts privilege escalation through user supplied project ID. By using an out-of-scope project ID, a trustee might gain unauthorized access if the trustor has the required roles in the requested project ID. All Keystone deployments configured to enable trusts and V2 API are affected.** **
CVE-ID: CVE-2014-3520
DESCRIPTION: OpenStack Keystone might allow a remote authenticated attacker to gain elevated privileges on the system, which is caused by an error when handling a project ID. An attacker with the appropriate roles might exploit this vulnerability to gain elevated privileges on the system.
CVSS Base Score: 6.5 **CVSS Temporal Score:**See <https://exchange.xforce.ibmcloud.com/vulnerabilities/94282> for the current score *CVSS Environmental Score:**Undefined CVSS Vector: (AV:N/AC:L/Au:S/C:P/I:P/A:P)
IBM SmartCloud Orchestrator 2.3 and IBM SmartCloud Orchestrator 2.3 Fix Pack 1 (2.3.0.1) up to Interim Fix 4
Upgrade to IBM SmartCloud Orchestrator 2.3.0 Fix Pack 1 Interim Fix 5 or later.
None
CPE | Name | Operator | Version |
---|---|---|---|
ibm smartcloud orchestrator | eq | 2.3 | |
ibm smartcloud orchestrator | eq | 2.3.0.1 |