Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 516088 (CVE-2014-3520)

Summary: sys-auth/keystone: Keystone V2 trusts privilege escalation through user supplied project id (CVE-2014-3520)
Product: Gentoo Security Reporter: Kristian Fiskerstrand (RETIRED) <k_f>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Severity: normal CC: openstack, prometheanfire
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: ~3 [noglsa]
Package list:
Runtime testing required: ---

Description Kristian Fiskerstrand (RETIRED) gentoo-dev 2014-07-02 17:52:35 UTC
From ${URL}:
OpenStack Security Advisory: 2014-022
CVE: CVE-2014-3520
Date: July 02, 2014
Title: Keystone V2 trusts privilege escalation through user supplied
       project id
Reporter: Jamie Lennox (Red Hat)
Products: Keystone
Versions: up to 2013.2.3, and 2014.1 to 2014.1.1

Jamie Lennox from Red Hat reported a vulnerability in Keystone trusts.
By using an out of scope project id, a trustee may gain unauthorized
access if the trustor has the required roles in the requested project
id. All Keystone deployments configured to enable trusts and V2 API are

Juno (development branch) fix:

Icehouse fix:

Havana fix:

This fix will be included in the Juno-2 development milestone and in
future 2013.2.4 and 2014.1.2 releases.

Comment 1 Matthew Thode ( prometheanfire ) archtester Gentoo Infrastructure gentoo-dev Security 2014-07-02 19:21:27 UTC
fixed before you made the bug, kthnx