CVE-2014-3476

OpenStack Keystone Privilege Escalation via Chained Delegation

Title source: llm

Description

OpenStack Identity (Keystone) before 2013.2.4, 2014.1 before 2014.1.2, and Juno before Juno-2 does not properly handle chained delegation, which allows remote authenticated users to gain privileges by leveraging a (1) trust or (2) OAuth token with impersonation enabled to create a new token with additional roles.

References (6)

Core 6

Core References

Mailing List, Third Party Advisory vendor-advisory x_refsource_suse

http://lists.opensuse.org/opensuse-security-announce/2014-06/msg00031.html

Third Party Advisory third-party-advisory x_refsource_secunia

http://secunia.com/advisories/59547

Third Party Advisory, VDB Entry vdb-entry x_refsource_bid

http://www.securityfocus.com/bid/68026

Exploit, Issue Tracking, Third Party Advisory x_refsource_confirm

https://bugs.launchpad.net/keystone/+bug/1324592

Third Party Advisory third-party-advisory x_refsource_secunia

http://secunia.com/advisories/57886

Mailing List, Patch, Third Party Advisory mailing-list x_refsource_mlist

http://www.openwall.com/lists/oss-security/2014/06/12/3

Scores

EPSS 0.0072

EPSS Percentile 72.7%

Details

CWE

CWE-269

Status published

Products (3)

openstack/keystone 2013.2 - 2013.2.4

pypi/keystone 0 - 8.0.0a0PyPI

suse/cloud 3

Published Jun 17, 2014

Tracked Since Feb 18, 2026