CVE-2014-3476

CWE-269Improper Privilege Management12 documents8 sources
Severity
6.0MEDIUM
EPSS
0.7%
top 27.51%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Openstack KeystoneSuse Cloud
Timeline
PublishedJun 17
Latest updateMay 13

Description

OpenStack Identity (Keystone) before 2013.2.4, 2014.1 before 2014.1.2, and Juno before Juno-2 does not properly handle chained delegation, which allows remote authenticated users to gain privileges by leveraging a (1) trust or (2) OAuth token with impersonation enabled to create a new token with additional roles.

CVSS vector

AV:N/AC:M/C:P/I:P/A:PExploitability: 6.8 | Impact: 6.4

Affected Packages5 packages

NVDopenstack/keystone2013.22013.2.4+1
PyPIkeystone< 8.0.0a0
Debiankeystone< 2014.1.1-2+3
Ubuntukeystone< 1:2014.1.2.1-0ubuntu1.1
NVDsuse/cloud3

Patches

Patch: www.openwall.comPatch: www.openwall.com

🔴Vulnerability Details

5
GHSA
OpenStack Identity Keystone is vulnerable to Block delegation escalation of privilege2022-05-13
OSV
OpenStack Identity Keystone is vulnerable to Block delegation escalation of privilege2022-05-13
OSV
keystone vulnerabilities2014-08-21
OSV
CVE-2014-3476: OpenStack Identity (Keystone) before 20132014-06-17
CVEList
CVE-2014-3476: OpenStack Identity (Keystone) before 20132014-06-17

📋Vendor Advisories

3
Ubuntu
OpenStack Keystone vulnerabilities2014-08-21
Red Hat
openstack-keystone: privilege escalation through trust chained delegation2014-06-12
Debian
CVE-2014-3476: keystone - OpenStack Identity (Keystone) before 2013.2.4, 2014.1 before 2014.1.2, and Juno ...2014

💬Community

3
Bugzilla
CVE-2014-3476 openstack-keystone: privilege escalation through trust chained delegation [epel-6]2014-06-13
Bugzilla
CVE-2014-3476 openstack-keystone: privilege escalation through trust chained delegation [fedora-all]2014-06-13
Bugzilla
CVE-2014-3476 openstack-keystone: privilege escalation through trust chained delegation2014-06-04
CVE-2014-3476 (MEDIUM CVSS 6) | OpenStack Identity (Keystone) befor | cvebase.io