Title: EC2 and/or credential endpoints are not protected from a scoped context
Reporter: kay
Products: Keystone
Affects: >=14.0.0 <=14.2.0, ==15.0.0, ==16.0.0
Description:
kay reported a vulnerability in Keystone's EC2 credentials API. Any user authenticated within a limited scope (trust/oauth/application credential) can create an EC2 credential with an escalated permission, such as obtaining "admin" while the user is on a limited "viewer" role.
Updated, please review:
Title: EC2 and/or credential endpoints are not protected from a scoped context
Reporter: kay
Products: Keystone
Affects: >=14.0.0 <=14.2.0, ==15.0.0, ==16.0.0
Description: oauth/applicati on credential) can create an EC2 credential with an escalated permission, such as obtaining "admin" while the user is on a limited "viewer" role.
kay reported a vulnerability in Keystone's EC2 credentials API. Any user authenticated within a limited scope (trust/