-------------------------------------------
Title: Keystone trust circumvention through EC2-style tokens
Reporter: Steven Hardy (Red Hat)
Products: Keystone
Affects: Grizzly and later
Description:
Steven Hardy from Red Hat reported a vulnerability in Keystone trusts when used in conjunction with the ec2tokens API. By generating EC2 credentials using a trust-scoped token, a trustee may retrieve a token not scoped to the trust, therefore elevating privileges to all of the trustor's roles. Only Keystone setups enabling EC2-style authentication are affected.
---------------------------------------------
New version including recommendations:
------- ------- ------- ------- ------- ------- -
Title: Keystone trust circumvention through EC2-style tokens
Reporter: Steven Hardy (Red Hat)
Products: Keystone
Affects: Grizzly and later
Description: ------- ------- ------- ------- ------- ---
Steven Hardy from Red Hat reported a vulnerability in Keystone trusts when used in conjunction with the ec2tokens API. By generating EC2 credentials using a trust-scoped token, a trustee may retrieve a token not scoped to the trust, therefore elevating privileges to all of the trustor's roles. Only Keystone setups enabling EC2-style authentication are affected.
-------