Privilege Escalation

2019-01-1508:57:52

Veracode Vulnerability Database

sca.analysiscenter.veracode.com

0.007 Low

EPSS

Percentile

80.7%

JSON

openstack-keystone is vulnerable to privilege escalation attacks. The vulnerability exists as OpenStack Identity (Keystone) before 2013.2.4, 2014.1 before 2014.1.2, and Juno before Juno-2 does not properly handle chained delegation, which allows remote authenticated users to gain privileges by leveraging a (1) trust or (2) OAuth token with impersonation enabled to create a new token with additional roles.

CPENameOperatorVersion
openstack-keystoneeq2012.2.3__7.el6ost
openstack-keystoneeq2013.2.1__1.el6ost
openstack-keystoneeq2012.2.3__4.el6ost
openstack-keystoneeq2013.2__3.el6ost
openstack-keystoneeq2012.1.1__1.el6
openstack-keystoneeq2013.1.4__1.el6ost
openstack-keystoneeq2012.2__6.el6
openstack-keystoneeq2013.1.4__2.el6ost
openstack-keystoneeq2012.2.3__3.el6ost
openstack-keystoneeq2013.2.2__1.el6ost

Name	Operator	Version
openstack-keystone	eq	2012.2.3__7.el6ost
openstack-keystone	eq	2013.2.1__1.el6ost
openstack-keystone	eq	2012.2.3__4.el6ost
openstack-keystone	eq	2013.2__3.el6ost
openstack-keystone	eq	2012.1.1__1.el6
openstack-keystone	eq	2013.1.4__1.el6ost
openstack-keystone	eq	2012.2__6.el6
openstack-keystone	eq	2013.1.4__2.el6ost
openstack-keystone	eq	2012.2.3__3.el6ost
openstack-keystone	eq	2013.2.2__1.el6ost