OpenStack Security Advisory: 2014-022
Date: July 02, 2014
Title: Keystone V2 trusts privilege escalation through user supplied
Reporter: Jamie Lennox (Red Hat)
Versions: up to 2013.2.3, and 2014.1 to 2014.1.1
Jamie Lennox from Red Hat reported a vulnerability in Keystone trusts.
By using an out of scope project id, a trustee may gain unauthorized
access if the trustor has the required roles in the requested project
id. All Keystone deployments configured to enable trusts and V2 API are
Juno (development branch) fix:
This fix will be included in the Juno-2 development milestone and in
future 2013.2.4 and 2014.1.2 releases.
fixed before you made the bug, kthnx