what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New
Showing 1 - 1 of 1 RSS Feed

CVE-2015-6861

Status Candidate

Overview

HPE Helion Eucalyptus 3.4.0 through 4.2.0 allows remote authenticated users to bypass an intended AssumeRole permission requirement and assume an IAM role by leveraging a policy setting for a user's account.

Related Files

HP Security Bulletin HPSBGN03527 1
Posted Dec 21, 2015
Authored by HP | Site hp.com

HP Security Bulletin HPSBGN03527 1 - A potential security vulnerability has been identified with HPE Helion Eucalyptus. The vulnerability could be exploited to bypass access permissions by a remote authenticated user. Notes: - In Eucalyptus, following the AWS model, IAM roles are used to temporarily allow users or services to access resources within or across accounts. Access to roles is determined by the role.s trust policy and a set of user permissions. The trust policy is associated with a role and defines which accounts or services are allowed to assume the role. User permissions are defined by the policy associated with the user, and define a set of actions and resources that the user is allowed to access. - An issue has been identified in how Eucalyptus checks user permissions when allowing a user to assume a role. Given that the grant policy allows the user.s account to assume the role, any user in that account would be able to assume the role, even if the user.s policy does not explicitly grant the AssumeRole permission for the role. As a result, in some cases authenticated users could gain privileges by assuming an IAM role that they were not intended to have access to. The impact is mitigated by the fact that the role.s trust policy still has to explicitly authorize the user.s account to access the role. Revision 1 of this advisory.

tags | advisory, remote
advisories | CVE-2015-6861
SHA-256 | 2503231940024a6e3e8b742a105e37a6cc7ada64c00d60fa8ac15b9667483aeb
Page 1 of 1
Back1Next

File Archive:

November 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    30 Files
  • 2
    Nov 2nd
    0 Files
  • 3
    Nov 3rd
    0 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    44 Files
  • 6
    Nov 6th
    18 Files
  • 7
    Nov 7th
    9 Files
  • 8
    Nov 8th
    8 Files
  • 9
    Nov 9th
    3 Files
  • 10
    Nov 10th
    0 Files
  • 11
    Nov 11th
    14 Files
  • 12
    Nov 12th
    20 Files
  • 13
    Nov 13th
    63 Files
  • 14
    Nov 14th
    18 Files
  • 15
    Nov 15th
    8 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    18 Files
  • 19
    Nov 19th
    7 Files
  • 20
    Nov 20th
    13 Files
  • 21
    Nov 21st
    6 Files
  • 22
    Nov 22nd
    48 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    60 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    44 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close