Source: keystone Version: 2:14.0.1-2 Severity: grave Tags: patch security kay reported a vulnerability in Keystone's EC2 credentials API. Keystone is the identity service used by OpenStack for authentication (authN) and high-level authorization (authZ). Any user authenticated within a limited scope (trust/oauth/application credential) can create an EC2 credential with an escalated permission, such as obtaining "admin" while the user is on a limited "viewer" role.
The details and patches are available here: https://bugs.launchpad.net/keystone/+bug/1872735