CVE-2017-2673 — Incorrect Authorization in Keystone

CWE-863 — Incorrect Authorization9 documents8 sources

Severity

7.2HIGHNVD

CNA6.8

EPSS

0.6%

top 31.31%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Openstack Keystone Redhat Openstack

Timeline

PublishedJul 19

Latest updateMay 13

Description

An authorization-check flaw was discovered in federation configurations of the OpenStack Identity service (keystone). An authenticated federated user could request permissions to a project and unintentionally be granted all related roles including administrative roles.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:HExploitability: 1.2 | Impact: 5.9

Affected Packages3 packages

▶PyPIopenstack/keystone10.0.0 — 10.0.2+2

▶Debianopenstack/keystone< 2:10.0.0-9+3

▶NVDredhat/openstack10, 9+1

Patches

Patch: seclists.org ↗Patch: bugs.launchpad.net ↗Patch: bugzilla.redhat.com ↗

🔴Vulnerability Details

OSV

OpenStack Identity service (keystone) Incorrect Authorization↗2022-05-13

▶

GHSA

OpenStack Identity service (keystone) Incorrect Authorization↗2022-05-13

▶

CVEList

CVE-2017-2673: An authorization-check flaw was discovered in federation configurations of the OpenStack Identity service (keystone)↗2018-07-19

▶

OSV

CVE-2017-2673: An authorization-check flaw was discovered in federation configurations of the OpenStack Identity service (keystone)↗2018-07-19

▶

📋Vendor Advisories

Ubuntu

OpenStack Keystone vulnerability↗2017-10-11

▶

Red Hat

openstack-keystone: Incorrect role assignment with federated Keystone↗2017-04-25

▶

Debian

CVE-2017-2673: keystone - An authorization-check flaw was discovered in federation configurations of the O...↗2017

▶

💬Community

Bugzilla

CVE-2017-2673 openstack-keystone: Incorrect role assignment with federated Keystone↗2017-04-06

▶