Vulnerability	Vulnerable Version
M Incorrect Authorization keystone is a package that provides authentication, authorization and service discovery mechanisms via HTTP primarily for use by projects in the OpenStack family. Affected versions of this package are vulnerable to Incorrect Authorization through the `UserOSEC2CredentialsResourceListCreate` handler in `keystone/api/users.py`. An attacker can obtain an EC2/S3 credential with the parent user's full S3 permissions by using a restricted application credential to call the EC2 credential creation API. In deployments that expose the EC2/S3 compatibility API, this allows an authenticated reader-role user to bypass the role limits on the application credential and create credentials that grant broader S3 access. How to fix Incorrect Authorization? Upgrade `keystone` to version 26.1.1, 27.0.1, 28.0.1, 29.0.1 or higher.	[14.0.0,26.1.1)[27.0.0.0rc1,27.0.1)[28.0.0.0rc1,28.0.1)[29.0.0.0rc1,29.0.1)

Incorrect Authorization

keystone is a package that provides authentication, authorization and service discovery mechanisms via HTTP primarily for use by projects in the OpenStack family.

Affected versions of this package are vulnerable to Incorrect Authorization through the UserOSEC2CredentialsResourceListCreate handler in keystone/api/users.py. An attacker can obtain an EC2/S3 credential with the parent user's full S3 permissions by using a restricted application credential to call the EC2 credential creation API. In deployments that expose the EC2/S3 compatibility API, this allows an authenticated reader-role user to bypass the role limits on the application credential and create credentials that grant broader S3 access.

How to fix Incorrect Authorization?

Upgrade keystone to version 26.1.1, 27.0.1, 28.0.1, 29.0.1 or higher.

[14.0.0,26.1.1)[27.0.0.0rc1,27.0.1)[28.0.0.0rc1,28.0.1)[29.0.0.0rc1,29.0.1)

Go back to all versions of this package