keystone is vulnerable to privilege escalation. The vulnerability exists as an authenticated user is able to masquerade as another higher privileged user by updating the credential user and project, potentially obtaining administrative privileges.
www.openwall.com/lists/oss-security/2020/05/07/2
bugs.launchpad.net/keystone/+bug/1872733
github.com/openstack/keystone/commit/d009384c9b683008d572f9996e1fe4e5e5d82096
lists.apache.org/thread.html/re237267da268c690df5e1c6ea6a38a7fc11617725e8049490f58a6fa@%3Ccommits.druid.apache.org%3E
lists.apache.org/thread.html/re4ffc55cd2f1b55a26e07c83b3c22c3fe4bae6054d000a57fb48d8c2@%3Ccommits.druid.apache.org%3E
security.openstack.org/ossa/OSSA-2020-004.html
usn.ubuntu.com/4480-1/
www.openwall.com/lists/oss-security/2020/05/06/5