Upstream information

CVE-2014-3476 at MITRE


OpenStack Identity (Keystone) before 2013.2.4, 2014.1 before 2014.1.2, and Juno before Juno-2 does not properly handle chained delegation, which allows remote authenticated users to gain privileges by leveraging a (1) trust or (2) OAuth token with impersonation enabled to create a new token with additional roles.

SUSE information

CVSS v2 Scores
  National Vulnerability Database
Base Score 6.00
Vector AV:N/AC:M/Au:S/C:P/I:P/A:P
Access Vector Network
Access Complexity Medium
Authentication Single
Confidentiality Impact Partial
Integrity Impact Partial
Availability Impact Partial
SUSE Bugzilla entry: 881977 [RESOLVED / FIXED]

SUSE Security Advisories:

List of released packages

Product(s) Fixed package version(s) References
SUSE Cloud 3
  • openstack-keystone >= 2013.2.4.dev5.g9162837-0.7.1
  • openstack-keystone-doc >= 2013.2.4.dev5.g9162837-0.7.1
  • python-keystone >= 2013.2.4.dev5.g9162837-0.7.1
SAT Patch Nr: 9378