Incorrect Authorization Affecting keystone package, versions [14.0.0,26.1.1)[27.0.0.0rc1,27.0.1)[28.0.0.0rc1,28.0.1)[29.0.0.0rc1,29.0.1)

keystone is a package that provides authentication, authorization and service discovery mechanisms via HTTP primarily for use by projects in the OpenStack family.

Affected versions of this package are vulnerable to Incorrect Authorization through the UserOSEC2CredentialsResourceListCreate handler in keystone/api/users.py. An attacker can obtain an EC2/S3 credential with the parent user's full S3 permissions by using a restricted application credential to call the EC2 credential creation API. In deployments that expose the EC2/S3 compatibility API, this allows an authenticated reader-role user to bypass the role limits on the application credential and create credentials that grant broader S3 access.

• Only deployments that expose the EC2 credential endpoints in keystone/api/users.py are in scope; the reachable API is identity:ec2_create_credential and the related delete path, not the general application-credential create/delete endpoints.
• The caller needs an authenticated token tied to a restricted application credential, and that token must be able to reach the EC2 credential creation API for the same parent user/project.
• Exposure is limited to deployments where the policy for identity:ec2_create_credential or identity:ec2_delete_credential allows reader-role users or otherwise does not require member-level access.

• Restrict use of the EC2/S3 compatibility API (swift3 / s3api) in deployments that rely on restricted application credentials, so those credentials cannot be used to create EC2 credentials with broader S3 access.

• Fix Commit
• Keystone Security Advisory
• LaunchPad Bug
• OSS Security Advisory