Launchpad CVE tracker

CVE 2017-2673

An authorization-check flaw was discovered in federation configurations of the OpenStack Identity service (keystone). An authenticated federated user could request permissions to a project and unintentionally be granted all related roles including administrative roles.

Related bugs and status

CVE-2017-2673 (Candidate) is related to these bugs:

Bug #1677723: [OSSA-2017-004] federated user gets wrong role (CVE-2017-2673)

Summary				In	Importance	Status
	1677723	[OSSA-2017-004] federated user gets wrong role (CVE-2017-2673)		OpenStack Identity (keystone)	Critical	Fix Released
	1677723	[OSSA-2017-004] federated user gets wrong role (CVE-2017-2673)		OpenStack Security Advisory	Critical	Fix Released

Bug #1680766: Incorrect role assignment with federated Keystone (CVE-2017-2673) (OSSA-2017-004)

		In	Importance	Status
1680766	Incorrect role assignment with federated Keystone (CVE-2017-2673) (OSSA-2017-004)	Mirantis OpenStack	High	Won't Fix
1680766	Incorrect role assignment with federated Keystone (CVE-2017-2673) (OSSA-2017-004)	Mirantis OpenStack 8.0.x	High	Invalid
1680766	Incorrect role assignment with federated Keystone (CVE-2017-2673) (OSSA-2017-004)	Mirantis OpenStack 9.x	High	Fix Released
1680766	Incorrect role assignment with federated Keystone (CVE-2017-2673) (OSSA-2017-004)	Mirantis OpenStack 7.0.x	High	Invalid

See the

CVE page on Mitre.org for more details.

Launchpad.net

CVE 2017-2673

References