An issue was discovered in OpenStack Keystone before 15.0.1, and 16.0.0. Any authenticated user can create an EC2 credential for themselves for a project that they have a specified role on, and then perform an update to the credential user and project, allowing them to masquerade as another user. This potentially allows a malicious user to act as the admin on a project another user has the admin role on, which can effectively grant that user global admin privileges.
The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.
Name | Vendor | Start Version | End Version |
---|---|---|---|
Keystone | Openstack | * | 15.0.1 (excluding) |
Keystone | Openstack | 16.0.0 (including) | 16.0.0 (including) |
Red Hat OpenStack Platform 10.0 (Newton) | RedHat | openstack-keystone-1:10.0.3-8.el7ost | * |
Red Hat OpenStack Platform 13.0 (Queens) | RedHat | openstack-keystone-1:13.0.4-3.el7ost | * |
Red Hat OpenStack Platform 13.0 (Queens) for RHEL 7.6 EUS | RedHat | openstack-keystone-1:13.0.4-3.el7ost | * |
Red Hat OpenStack Platform 15.0 (Stein) | RedHat | openstack-keystone-1:15.0.1-0.20200512110437.95b2bbe.el8ost | * |
Red Hat OpenStack Platform 16.0 (Train) | RedHat | openstack-keystone-1:16.0.1-0.20200511063421.40cbb7b.el8ost | * |
Keystone | Ubuntu | bionic | * |
Keystone | Ubuntu | eoan | * |
Keystone | Ubuntu | esm-infra/bionic | * |
Keystone | Ubuntu | esm-infra/xenial | * |
Keystone | Ubuntu | trusty | * |
Keystone | Ubuntu | upstream | * |
Keystone | Ubuntu | xenial | * |