Title: EC2 and credential endpoints are not protected from a scoped context
Reporter: kay
Products: Keystone
Affects: <15.0.1, ==16.0.0
Description:
kay reported a vulnerability in Keystone's EC2 credentials API. Any user authenticated within a limited scope (trust/oauth/application credential) can create an EC2 credential with an escalated permission, such as obtaining "admin" while the user is on a limited "viewer" role.
Updated, please review:
Title: EC2 and credential endpoints are not protected from a scoped context
Reporter: kay
Products: Keystone
Affects: <15.0.1, ==16.0.0
Description: oauth/applicati on credential) can create an EC2 credential with an escalated permission, such as obtaining "admin" while the user is on a limited "viewer" role.
kay reported a vulnerability in Keystone's EC2 credentials API. Any user authenticated within a limited scope (trust/