CVE-2019-3683 HIGH

CVE-2019-3683: keystone_json_assignment backend granted access to any project for users in user-project-map.json

Vendor Suse
Product SUSE Openstack Cloud 8
Weakness CWE-732
Published January 17, 2020
Last update September 17, 2024

CVSS base score

8.8/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

What the vulnerability does

01Description

The keystone-json-assignment package in SUSE Openstack Cloud 8 before commit d7888c75505465490250c00cc0ef4bb1af662f9f every user listed in the /etc/keystone/user-project-map.json was assigned full "member" role access to every project. This allowed these users to access, modify, create and delete arbitrary resources, contrary to expectations.

Key dates

02Disclosure timeline

January 17, 2020 CVE published
September 17, 2024 Record updated