An open API service providing security vulnerability metadata for many open source software ecosystems.

GSA_kwCzR0hTQS0yNzR2LXI5NDctdjM0cs4AAQdC

Moderate EPSS: 0.01038% (0.7645 Percentile) EPSS:

OpenStack Identity Keystone is vulnerable to Block delegation escalation of privilege

Affected Packages Affected Versions Fixed Versions
pypi:keystone < 8.0.0a0 8.0.0a0
3 Dependent packages
37 Dependent repositories
23,114 Downloads last month

Affected Version Ranges

All affected versions

All unaffected versions

12.0.2, 12.0.3, 13.0.2, 13.0.3, 13.0.4, 14.0.0, 14.0.1, 14.1.0, 14.2.0, 15.0.0, 15.0.1, 16.0.0, 16.0.1, 16.0.2, 17.0.0, 17.0.1, 18.0.0, 18.1.0, 19.0.0, 19.0.1, 20.0.0, 20.0.1, 21.0.0, 21.0.1, 22.0.0, 22.0.1, 22.0.2, 23.0.0, 23.0.1, 23.0.2, 24.0.0, 24.1.0, 25.0.0, 26.0.0, 27.0.0

OpenStack Identity (Keystone) before 2013.2.4, 2014.1 before 2014.1.2, and Juno before Juno-2 does not properly handle chained delegation, which allows remote authenticated users to gain privileges by leveraging a (1) trust or (2) OAuth token with impersonation enabled to create a new token with additional roles.

References: