QwikSec

Security Database

CVE

CWE

Training

CVE-2017-2673

Published: Jul 19, 2018

Modified: Aug 5, 2024

PUBLISHED

CVSS v3.0

6.8

MEDIUM

Description

An authorization-check flaw was discovered in federation configurations of the OpenStack Identity service (keystone). An authenticated federated user could request permissions to a project and unintentionally be granted all related roles including administrative roles.

Vendor	Product	Versions
[UNKNOWN]	openstack-keystone	affected `n/a`

Weaknesses (CWE)

CVSS v3.0 Details

CVSS v3.0 Vector

CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N

Attack Vector

Network

Attack Complexity

High

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

None

References

[oss-security] 20170425 [OSSA-2017-004] federated user gets wrong role (CVE-2017-2673)

mailing-list

x_refsource_MLIST

https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-2673

x_refsource_CONFIRM

https://bugs.launchpad.net/keystone/+bug/1677723

x_refsource_CONFIRM

vendor-advisory

x_refsource_REDHAT

vendor-advisory

x_refsource_REDHAT

vdb-entry

x_refsource_BID

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.