An issue was discovered in OpenStack Keystone before 29.0.2. POST /v3/credentials did not validate that the caller-supplied project_id for an EC2-type credential matched the project of the authenticating application credential. This allowed an attacker holding an unrestricted application credential for project A to create an EC2 credential targeting project B; a subsequent /v3/ec2tokens exchange would then issue a Keystone token scoped to project B while still carrying the original app_cred_id, enabling cross-project lateral movement within the credential owner's role footprint.
CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:LOpenstack Keystone
APPOpenstack14.0.0 – 27.0.2 (bez)28.0.0 – 28.0.2 (bez)29.0.0 – 29.0.2 (bez)
Related vulnerabilities
A flaw was found in openstack-keystone. Only the first 72 characters of an application secret are verified all...
OpenStack Keystone 10.x through 16.x before 16.0.2, 17.x before 17.0.1, 18.x before 18.0.1, and 19.x before 19...
An issue was discovered in OpenStack Keystone before 15.0.1, and 16.0.0. The list of roles provided for an OAu...
An issue was discovered in OpenStack Keystone before 15.0.1, and 16.0.0. Any authenticated user can create an ...
An issue was discovered in OpenStack Keystone before 15.0.1, and 16.0.0. Any user authenticated within a limit...