Homepage
About Snyk

Privilege Escalation Affecting keystone package, versions [15.0.0, 17.0.0)

0.0
medium

Snyk CVSS

    Attack Complexity Low
    Privileges Required High
    Confidentiality High
    Availability High

    Threat Intelligence

    EPSS 1.79% (88th percentile)
Expand this section
NVD
8.8 high
Expand this section
Red Hat
8.1 high

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk ID SNYK-PYTHON-KEYSTONE-537036
  • published 9 Dec 2019
  • disclosed 9 Dec 2019
  • credit Unknown
Report a new vulnerability Found a mistake?

Introduced: 9 Dec 2019

CVE-2019-19687 Open this link in a new tab
CWE-269 Open this link in a new tab

How to fix?

Upgrade keystone to version 17.0.0 or higher.

Overview

keystone is a package that provides authentication, authorization and service discovery mechanisms via HTTP primarily for use by projects in the OpenStack family.

Affected versions of this package are vulnerable to Privilege Escalation via the list credentials API. Any user with a role on a project is able to list any credentials with the /v3/credentials API when enforce_scope is false.