date: 2014-07-02

id: OSSA-2014-022

title: 'Keystone V2 trusts privilege escalation through user supplied'

description: 'Jamie Lennox from Red Hat reported a vulnerability in Keystone trusts.
  By using an out of scope project id, a trustee may gain unauthorized access if the
  trustor has the required roles in the requested project id. All Keystone deployments
  configured to enable trusts and V2 API are affected.'

reference: http://lists.openstack.org/pipermail/openstack-announce/2014-July/000248.html

affected-products:

  - product: keystone
    version: up to 2013.2.3, and 2014.1 to 2014.1.1

vulnerabilities:

  - cve-id: CVE-2014-3520
    impact-assessment:
      source: 'Red Hat Product Security'
      rating: important
      assessment:
        type: CVSS2
        score: 3.5
        detail: AV:N/AC:M/Au:S/C:P/I:N/A:N
    classification:
      source: 'Red Hat Product Security'
      type: CWE
      detail: TODO

reporters:

  - name: 'Jamie Lennox'
    affiliation: 'Red Hat'
    reported:
      - CVE-2014-3520

issues:

  links:
    - https://launchpad.net/bugs/1331912

  type: launchpad

reviews:

  juno:
    - https://review.openstack.org/#/c/104216

  icehouse:
    - https://review.openstack.org/#/c/104217

  havana:
    - https://review.openstack.org/#/c/104218

  type: gerrit