LOW

GHSA-f889-wfwm-6p7m

OpenStack Identity Keystone Privilege Escalation vulnerability

Details

The LDAP backend in OpenStack Identity (Keystone) Grizzly and Havana, when removing a role on a tenant for a user who does not have that role, adds the role to the user, which allows local users to gain privileges.

Are you affected?

Enter the version of the package you're using.

Affected packages

PyPI / keystone

Introduced in: 0 Fixed in: 8.0.0a0

Fix pip install --upgrade 'keystone>=8.0.0a0'

References

https://nvd.nist.gov/vuln/detail/CVE-2013-4477 [ADVISORY]
https://github.com/openstack/keystone/commit/b17e7bec768bd53d3977352486378698a3db3cfa [WEB]
https://github.com/openstack/keystone/commit/c6800ca1ac984c879e75826df6694d6199444ea0 [WEB]
https://bugs.launchpad.net/keystone/+bug/1242855 [WEB]
https://github.com/openstack/keystone [PACKAGE]
http://rhn.redhat.com/errata/RHSA-2014-0113.html [WEB]
http://www.openwall.com/lists/oss-security/2013/10/30/6 [WEB]
http://www.ubuntu.com/usn/USN-2034-1 [WEB]