Moderate severityNVD Advisory· Published Jun 17, 2014· Updated May 6, 2026

CVE-2014-3476

Description

OpenStack Identity (Keystone) before 2013.2.4, 2014.1 before 2014.1.2, and Juno before Juno-2 does not properly handle chained delegation, which allows remote authenticated users to gain privileges by leveraging a (1) trust or (2) OAuth token with impersonation enabled to create a new token with additional roles.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
keystonePyPI	< 8.0.0a0	8.0.0a0

Affected products

OpenStack/Keystone
cpe:2.3:a:openstack:keystone:*:*:*:*:*:*:*:*
Range: >=2013.2,<2013.2.4
SUSE S.A./Cloud
cpe:2.3:a:suse:cloud:3:*:*:*:*:*:*:*

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

www.openwall.com/lists/oss-security/2014/06/12/3nvdMailing ListPatchThird Party AdvisoryWEB
bugs.launchpad.net/keystone/+bug/1324592nvdExploitIssue TrackingThird Party AdvisoryWEB
lists.opensuse.org/opensuse-security-announce/2014-06/msg00031.htmlnvdMailing ListThird Party AdvisoryWEB
secunia.com/advisories/57886nvdThird Party AdvisoryWEB
secunia.com/advisories/59547nvdThird Party AdvisoryWEB
www.securityfocus.com/bid/68026nvdThird Party AdvisoryVDB EntryWEB
github.com/advisories/GHSA-274v-r947-v34rghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2014-3476ghsaADVISORY

News mentions

No linked articles in our index yet.

cvss	0.260
epss	0.001
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000