OpenStack Keystone intended authorization restrictions bypass
Low severity
GitHub Reviewed
Published
May 17, 2022
to the GitHub Advisory Database
•
Updated Jan 12, 2024
Description
Published by the National Vulnerability Database
Dec 18, 2012
Published to the GitHub Advisory Database
May 17, 2022
Reviewed
Jan 12, 2024
Last updated
Jan 12, 2024
OpenStack Keystone Essex (2012.1) and Folsom (2012.2) does not properly handle EC2 tokens when the user role has been removed from a tenant, which allows remote authenticated users to bypass intended authorization restrictions by leveraging a token for the removed user role.
References