CVE-2014-3520

CWE-863 — Incorrect Authorization12 documents8 sources

Severity

6.5MEDIUM

EPSS

0.4%

top 37.56%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Openstack Keystone

Timeline

PublishedOct 26

Latest updateMay 13

Description

OpenStack Identity (Keystone) before 2013.2.4, 2014.x before 2014.1.2, and Juno before Juno-2 allows remote authenticated trustees to gain access to an unauthorized project for which the trustor has certain roles via the project ID in a V2 API trust token request.

CVSS vector

AV:N/AC:L/C:P/I:P/A:PExploitability: 8.0 | Impact: 6.4

Affected Packages3 packages

▶NVDopenstack/keystone2013.2 — 2013.2.4+1

▶Debiankeystone< 2014.1.1-3+3

▶Ubuntukeystone< 1:2014.1.2.1-0ubuntu1.1

Patches

Patch: lists.openstack.org ↗Patch: lists.openstack.org ↗

🔴Vulnerability Details

GHSA

GHSA-mv96-4gm9-mjhw: OpenStack Identity (Keystone) before 2013↗2022-05-13

▶

CVEList

CVE-2014-3520: OpenStack Identity (Keystone) before 2013↗2014-10-26

▶

OSV

CVE-2014-3520: OpenStack Identity (Keystone) before 2013↗2014-10-26

▶

OSV

keystone vulnerabilities↗2014-08-21

▶

📋Vendor Advisories

Ubuntu

OpenStack Keystone vulnerabilities↗2014-08-21

▶

Red Hat

openstack-keystone: Keystone V2 trusts privilege escalation through user supplied project id↗2014-07-02

▶

Debian

CVE-2014-3520: keystone - OpenStack Identity (Keystone) before 2013.2.4, 2014.x before 2014.1.2, and Juno ...↗2014

▶

💬Community

Bugzilla

CVE-2014-3520 openstack-keystone: Keystone V2 trusts privilege escalation through user supplied project id [epel-6]↗2014-07-02

▶

Bugzilla

CVE-2014-3520 openstack-keystone: Keystone V2 trusts privilege escalation through user supplied project id [fedora-20]↗2014-07-02

▶

Bugzilla

CVE-2014-3520 openstack-keystone: Keystone V2 trusts privilege escalation through user supplied project id [fedora-19]↗2014-07-02

▶

Bugzilla

CVE-2014-3520 openstack-keystone: Keystone V2 trusts privilege escalation through user supplied project id↗2014-06-24

▶