CVE-2014-3520

Related Files

Ubuntu Security Notice USN-2324-1

Posted Aug 21, 2014

Authored by Ubuntu | Site security.ubuntu.com

Ubuntu Security Notice 2324-1 - Steven Hardy discovered that OpenStack Keystone did not properly handle chained delegation. A remove authenticated attacker could use this to gain privileges by creating a new token with additional roles. Jamie Lennox discovered that OpenStack Keystone did not properly validate the project id. A remote authenticated attacker may be able to use this to access other projects. Various other issues were also addressed.

tags | advisory, remote

systems | linux, ubuntu

advisories | CVE-2014-3476, CVE-2014-3520, CVE-2014-5251, CVE-2014-5252, CVE-2014-5253

SHA-256 | 1632498be04b1359c92fbf3613e7ffaae0db2f9cddd39c0d312bdc35e22eb168

Download | Favorite | View

Red Hat Security Advisory 2014-0994-01

Posted Jul 31, 2014

Authored by Red Hat | Site access.redhat.com

Red Hat Security Advisory 2014-0994-01 - The OpenStack Identity service authenticates and authorizes OpenStack users by keeping track of users and their permitted activities. The Identity service supports multiple forms of authentication, including user name and password credentials, token-based systems, and AWS-style logins. A flaw was found in keystone's chained delegation. A trustee able to create a delegation from a trust or an OAuth token could misuse identity impersonation to bypass the enforced scope, possibly allowing them to obtain elevated privileges to the trustor's projects and roles.

tags | advisory

systems | linux, redhat

advisories | CVE-2014-3476, CVE-2014-3520

SHA-256 | 949f06302ebdd15da42d9c4bdee91521c3c370bd2d54ff6ea4bcf79a5f68e7ed

Download | Favorite | View