Vulnerability Details : CVE-2014-3520
Potential exploit
OpenStack Identity (Keystone) before 2013.2.4, 2014.x before 2014.1.2, and Juno before Juno-2 allows remote authenticated trustees to gain access to an unauthorized project for which the trustor has certain roles via the project ID in a V2 API trust token request.
Products affected by CVE-2014-3520
- cpe:2.3:a:openstack:keystone:*:*:*:*:*:*:*:*
- cpe:2.3:a:openstack:keystone:*:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2014-3520
0.28%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 48 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2014-3520
| Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
|---|---|---|---|---|---|---|
|
6.5
|
MEDIUM | AV:N/AC:L/Au:S/C:P/I:P/A:P |
8.0
|
6.4
|
NIST |
CWE ids for CVE-2014-3520
-
The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.Assigned by: nvd@nist.gov (Primary)
References for CVE-2014-3520
-
http://secunia.com/advisories/59426
Sign inThird Party Advisory
-
http://lists.openstack.org/pipermail/openstack-announce/2014-July/000248.html
OpenStack Open Source Cloud Computing Software » Message: [openstack-announce] [OSSA 2014-022] Keystone V2 trusts privilege escalation through user supplied project id (CVE-2014-3520)Patch;Vendor Advisory
-
https://bugs.launchpad.net/keystone/+bug/1331912
Bug #1331912 “[OSSA 2014-022] V2 Trusts allow trustee to emulate...” : Bugs : OpenStack Identity (keystone)Exploit;Issue Tracking;Third Party Advisory
Jump to