Bugzilla – Bug 885798
VUL-0: CVE-2014-3520: openstack-keystone: Keystone V2 trusts privilege escalation through user
Last modified: 2015-07-22 07:25:55 UTC
CVE-2014-352 Title: Keystone V2 trusts privilege escalation through user supplied project id Reporter: Jamie Lennox (Red Hat) Products: Keystone Versions: up to 2013.2.3, and 2014.1 to 2014.1.1 Description: Jamie Lennox from Red Hat reported a vulnerability in Keystone trusts. By using an out of scope project id, a trustee may gain unauthorized access if the trustor has the required roles in the requested project id. All Keystone deployments configured to enable trusts and V2 API are affected. References: http://openwall.com/lists/oss-security/2014/07/02/7 https://bugs.launchpad.net/keystone/+bug/1331912 https://bugzilla.redhat.com/show_bug.cgi?id=1112668 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-3520 http://people.canonical.com/~ubuntu-security/cve/2014/CVE-2014-3520.html http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3520
https://review.openstack.org/#/q/I00ad783bcb93cea9e5622965f81b91c80f4570cc,n,z is in our packages now
bugbot adjusting priority
submitted https://build.suse.de/request/show/40779 Cloud3 / openstack-keystone
An update workflow for this issue was started. This issue was rated as moderate. Please submit fixed packages until 2014-07-21. When done, reassign the bug to security-team@suse.de. https://swamp.suse.de/webswamp/wf/58188
Affected packages: SLE-11-SP2-PRODUCTS: openstack-keystone SLE-11-SP3: openstack-keystone SLE-11-SP3-CLOUD4: openstack-keystone SLE-11-SP3-PRODUCTS: openstack-keystone SLE-11-SP3-UPTU: openstack-keystone
SUSE-SU-2014:0988-1: An update that fixes one vulnerability is now available. Category: security (moderate) Bug References: 885798 CVE References: CVE-2014-3520 Sources used: SUSE Cloud 3 (src): openstack-keystone-2013.2.4.dev6.g96d9bcf-0.7.1, openstack-keystone-doc-2013.2.4.dev6.g96d9bcf-0.7.1
Fix was released. Closing bug.
fixed and released