Description
An issue was discovered in OpenStack Keystone before 15.0.1, and 16.0.0. The list of roles provided for an OAuth1 access token is silently ignored. Thus, when an access token is used to request a keystone token, the keystone token contains every role assignment the creator had for the project. This results in the provided keystone token having more role assignments than the creator intended, possibly giving unintended escalated access.
References (7)
Core 7
Core References
Vendor Advisory x_refsource_confirm
https://security.openstack.org/ossa/OSSA-2020-005.html
Patch, Third Party Advisory x_refsource_misc
https://bugs.launchpad.net/keystone/+bug/1873290
Mailing List, Third Party Advisory x_refsource_misc
https://www.openwall.com/lists/oss-security/2020/05/06/6
Mailing List, Third Party Advisory mailing-list
x_refsource_mlist
http://www.openwall.com/lists/oss-security/2020/05/07/3
Mailing List mailing-list
x_refsource_mlist
https://lists.apache.org/thread.html/re4ffc55cd2f1b55a26e07c83b3c22c3fe4bae6054d000a57fb48d8c2%40%3Ccommits.druid.apache.org%3E
Vendor Advisory vendor-advisory
x_refsource_ubuntu
https://usn.ubuntu.com/4480-1/
Mailing List mailing-list
x_refsource_mlist
https://lists.apache.org/thread.html/re237267da268c690df5e1c6ea6a38a7fc11617725e8049490f58a6fa%40%3Ccommits.druid.apache.org%3E
Scores
CVSS v3
8.8
EPSS
0.0082
EPSS Percentile
74.6%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Details
CWE
CWE-613
Status
published
Products (3)
openstack/keystone
16.0.0
openstack/keystone
< 15.0.1
pypi/keystone
0 - 15.0.1PyPI
Published
May 07, 2020
Tracked Since
Feb 18, 2026