CVE-2014-0204 — OpenStack Identity Keystone Improper Privilege Management

Description

OpenStack Identity (Keystone) before 2014.1.1 does not properly handle when a role is assigned to a group that has the same ID as a user, which allows remote authenticated users to gain privileges that are assigned to a group with the same ID.

How to fix CVE-2014-0204

To remediate CVE-2014-0204, upgrade the affected package to a fixed version below.

Debian/keystone—upgrade to 2014.1-5 or later
PyPI/keystone—upgrade to 8.0.0a0 or later

Is CVE-2014-0204 being exploited?

Low — EPSS is 0.4%, meaning exploitation activity has not been observed at scale.

Affected packages (2)

from 0, < 2014.1-5
from 0, < 8.0.0a0

References (9)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2014-0204
ADVISORYsecurity-tracker.debian.org/tracker/CVE-2014-0204
WEBbugs.launchpad.net/keystone/+bug/1309228
WEBgithub.com/openstack/keystone/commit/729dcad7384ba66ee7494154969cdd7ae90d86ee