Low severityNVD Advisory· Published Nov 2, 2013· Updated Apr 29, 2026
CVE-2013-4477
CVE-2013-4477
Description
The LDAP backend in OpenStack Identity (Keystone) Grizzly and Havana, when removing a role on a tenant for a user who does not have that role, adds the role to the user, which allows local users to gain privileges.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
keystonePyPI | < 8.0.0a0 | 8.0.0a0 |
Affected products
2Patches
2c6800ca1ac98Fix remove role assignment adds role using LDAP assignment
2 files changed · +4 −22
keystone/assignment/backends/ldap.py+4 −14 modified@@ -451,20 +451,10 @@ def delete_user(self, role_dn, user_dn, tenant_dn, try: conn.modify_s(role_dn, [(ldap.MOD_DELETE, self.member_attribute, user_dn)]) - except ldap.NO_SUCH_OBJECT: - if tenant_dn is None: - raise exception.RoleNotFound(role_id=role_id) - attrs = [('objectClass', [self.object_class]), - (self.member_attribute, [user_dn])] - - if self.use_dumb_member: - attrs[1][1].append(self.dumb_member) - try: - conn.add_s(role_dn, attrs) - except Exception as inst: - raise inst - except ldap.NO_SUCH_ATTRIBUTE: - raise exception.UserNotFound(user_id=user_id) + except (ldap.NO_SUCH_OBJECT, ldap.NO_SUCH_ATTRIBUTE): + raise exception.RoleNotFound(message=_( + 'Cannot remove role that has not been granted, %s') % + role_id) finally: conn.unbind_s()
keystone/tests/test_backend_ldap.py+0 −8 modified@@ -870,14 +870,6 @@ def test_list_projects_for_alternate_domain(self): self.skipTest( 'N/A: LDAP does not support multiple domains') - def test_remove_user_role_not_assigned(self): - # This raises exception as expected with SQL assignment backend but - # not with LDAP (see bug #1242855) - self.identity_api.remove_role_from_user_and_project( - tenant_id=self.tenant_bar['id'], - user_id=self.user_two['id'], - role_id=self.role_other['id']) - class LDAPIdentityEnabledEmulation(LDAPIdentity): def setUp(self):
b17e7bec768bEnhance tests for deleting a role not assigned
2 files changed · +17 −0
keystone/tests/test_backend_ldap.py+8 −0 modified@@ -870,6 +870,14 @@ def test_list_projects_for_alternate_domain(self): self.skipTest( 'N/A: LDAP does not support multiple domains') + def test_remove_user_role_not_assigned(self): + # This raises exception as expected with SQL assignment backend but + # not with LDAP (see bug #1242855) + self.identity_api.remove_role_from_user_and_project( + tenant_id=self.tenant_bar['id'], + user_id=self.user_two['id'], + role_id=self.role_other['id']) + class LDAPIdentityEnabledEmulation(LDAPIdentity): def setUp(self):
keystone/tests/test_backend.py+9 −0 modified@@ -61,6 +61,15 @@ def test_project_add_and_remove_user_role(self): self.tenant_bar['id']) self.assertNotIn(self.user_two['id'], user_ids) + def test_remove_user_role_not_assigned(self): + # Expect failure if attempt to remove a role that was never assigned to + # the user. + self.assertRaises(exception.RoleNotFound, + self.identity_api.remove_role_from_user_and_project, + tenant_id=self.tenant_bar['id'], + user_id=self.user_two['id'], + role_id=self.role_other['id']) + def test_authenticate_bad_user(self): self.assertRaises(AssertionError, self.identity_api.authenticate,
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
8- www.openwall.com/lists/oss-security/2013/10/30/6nvdPatchWEB
- bugs.launchpad.net/keystone/+bug/1242855nvdExploitWEB
- github.com/advisories/GHSA-f889-wfwm-6p7mghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2013-4477ghsaADVISORY
- rhn.redhat.com/errata/RHSA-2014-0113.htmlnvdWEB
- www.ubuntu.com/usn/USN-2034-1nvdWEB
- github.com/openstack/keystone/commit/b17e7bec768bd53d3977352486378698a3db3cfaghsaWEB
- github.com/openstack/keystone/commit/c6800ca1ac984c879e75826df6694d6199444ea0ghsaWEB
News mentions
0No linked articles in our index yet.