CVE-2014-3520

Openstack Keystone < 2013.2.4 - Incorrect Authorization

Title source: rule

Description

OpenStack Identity (Keystone) before 2013.2.4, 2014.x before 2014.1.2, and Juno before Juno-2 allows remote authenticated trustees to gain access to an unauthorized project for which the trustor has certain roles via the project ID in a V2 API trust token request.

References (3)

[Patch, Vendor Advisory] http://lists.openstack.org/pipermail/openstack-announce/2014-July/000248.html

[Third Party Advisory] http://secunia.com/advisories/59426

[Exploit, Issue Tracking, Third Party Advisory] https://bugs.launchpad.net/keystone/+bug/1331912

Scores

EPSS 0.0043

EPSS Percentile 62.0%

Classification

CWE

CWE-863

Status draft

Affected Products (1)

openstack/keystone < 2013.2.4

Timeline

Published Oct 26, 2014

Tracked Since Feb 18, 2026