VYPR
← All advisories
High severityNVD Advisory· Published Jul 19, 2018· Updated Aug 5, 2024

CVE-2017-2673

CVE-2017-2673

Description

An authorization-check flaw was discovered in federation configurations of the OpenStack Identity service (keystone). An authenticated federated user could request permissions to a project and unintentionally be granted all related roles including administrative roles.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Authorization flaw in OpenStack keystone federation allows authenticated federated users to gain unintended administrative roles.

Vulnerability

An authorization-check flaw exists in the federation configurations of OpenStack Identity (keystone) [1][2]. An authenticated federated user can request permissions to a project and be granted all related roles, including administrative roles, due to insufficient authorization validation. This affects various versions of openstack-keystone in Red Hat OpenStack Platform before the fix released in 2017.

Exploitation

An attacker must be an authenticated federated user in Keystone. By requesting permissions to a project, the user inadvertently receives all roles associated with that project, including administrative roles, without further interaction. The flaw lies in the missing authorization check during role assignment in federation flows.

Impact

Successful exploitation allows an attacker to gain unauthorized administrative roles on OpenStack projects, leading to full control over project resources, including data access, configuration changes, and potential denial of service.

Mitigation

The vulnerability was fixed in openstack-keystone packages released as part of Red Hat errata [3]. Users should update to the latest version of openstack-keystone from their distribution. No workarounds are documented. This CVE is not in the known exploited vulnerabilities (KEV) catalog.

References
  1. cve-details
  2. NVD - CVE-2017-2673
  3. Incorrect role assignment with federated Keystone

AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
keystonePyPI
>= 9.0.0, <= 9.3.0
keystonePyPI
>= 10.0.0, < 10.0.210.0.2
keystonePyPI
>= 11.0.0, < 11.0.111.0.1

Affected products

1

Patches

2
05a129e54573

Do not fetch group assignments without groups

https://github.com/openstack/keystoneBoris BobrovApr 25, 2017via ghsa
commit
2 files changed · +33 0
  • keystone/assignment/core.py+5 0 modified
    @@ -165,6 +165,11 @@ def get_roles_for_user_and_domain(self, user_id, domain_id):
 
     def get_roles_for_groups(self, group_ids, project_id=None, domain_id=None):
         """Get a list of roles for this group on domain and/or project."""
+        # if no group ids were passed, there are no roles. Without this check,
+        # all assignments for the project or domain will be fetched,
+        # which is not what we want.
+        if not group_ids:
+            return []
         if project_id is not None:
             self.resource_api.get_project(project_id)
             assignment_list = self.list_role_assignments(
  • keystone/tests/unit/test_v3_federation.py+28 0 modified
    @@ -1776,6 +1776,34 @@ def test_issue_unscoped_token_no_groups(self):
         token_groups = token_resp['token']['user']['OS-FEDERATION']['groups']
         self.assertEqual(0, len(token_groups))
 
+    def test_issue_scoped_token_no_groups(self):
+        """Verify that token without groups cannot get scoped to project.
+
+        This test is required because of bug 1677723.
+        """
+        # issue unscoped token with no groups
+        r = self._issue_unscoped_token(assertion='USER_NO_GROUPS_ASSERTION')
+        self.assertIsNotNone(r.headers.get('X-Subject-Token'))
+        token_resp = r.json_body
+        token_groups = token_resp['token']['user']['OS-FEDERATION']['groups']
+        self.assertEqual(0, len(token_groups))
+        unscoped_token = r.headers.get('X-Subject-Token')
+
+        # let admin get roles in a project
+        self.proj_employees
+        admin = unit.new_user_ref(CONF.identity.default_domain_id)
+        self.identity_api.create_user(admin)
+        self.assignment_api.create_grant(self.role_admin['id'],
+                                         user_id=admin['id'],
+                                         project_id=self.proj_employees['id'])
+
+        # try to scope the token. It should fail
+        scope = self._scope_request(
+            unscoped_token, 'project', self.proj_employees['id']
+        )
+        self.v3_create_token(
+            scope, expected_status=http_client.UNAUTHORIZED)
+
     def test_issue_unscoped_token_malformed_environment(self):
         """Test whether non string objects are filtered out.
2139639eeabc

Do not fetch group assignments without groups

https://github.com/openstack/keystoneBoris BobrovApr 25, 2017via ghsa
commit
2 files changed · +63 0
  • keystone/assignment/core.py+5 0 modified
    @@ -126,6 +126,11 @@ def get_roles_for_user_and_domain(self, user_id, domain_id):
 
     def get_roles_for_groups(self, group_ids, project_id=None, domain_id=None):
         """Get a list of roles for this group on domain and/or project."""
+        # if no group ids were passed, there are no roles. Without this check,
+        # all assignments for the project or domain will be fetched,
+        # which is not what we want.
+        if not group_ids:
+            return []
         if project_id is not None:
             self.resource_api.get_project(project_id)
             assignment_list = self.list_role_assignments(
  • keystone/tests/unit/test_v3_federation.py+58 0 modified
    @@ -1908,6 +1908,34 @@ def test_issue_unscoped_token_no_groups(self):
         token_groups = token_resp['token']['user']['OS-FEDERATION']['groups']
         self.assertEqual(0, len(token_groups))
 
+    def test_issue_scoped_token_no_groups(self):
+        """Verify that token without groups cannot get scoped to project.
+
+        This test is required because of bug 1677723.
+        """
+        # issue unscoped token with no groups
+        r = self._issue_unscoped_token(assertion='USER_NO_GROUPS_ASSERTION')
+        self.assertIsNotNone(r.headers.get('X-Subject-Token'))
+        token_resp = r.json_body
+        token_groups = token_resp['token']['user']['OS-FEDERATION']['groups']
+        self.assertEqual(0, len(token_groups))
+        unscoped_token = r.headers.get('X-Subject-Token')
+
+        # let admin get roles in a project
+        self.proj_employees
+        admin = unit.new_user_ref(CONF.identity.default_domain_id)
+        self.identity_api.create_user(admin)
+        self.assignment_api.create_grant(self.role_admin['id'],
+                                         user_id=admin['id'],
+                                         project_id=self.proj_employees['id'])
+
+        # try to scope the token. It should fail
+        scope = self._scope_request(
+            unscoped_token, 'project', self.proj_employees['id']
+        )
+        self.v3_create_token(
+            scope, expected_status=http_client.UNAUTHORIZED)
+
     def test_issue_unscoped_token_malformed_environment(self):
         """Test whether non string objects are filtered out.
 
@@ -3314,6 +3342,36 @@ def test_mapping_with_groups_includes_projects_with_group_assignment(self):
                 self.expected_results[project_name], roles[0]['name']
             )
 
+    def test_user_gets_only_assigned_roles(self):
+        # in bug 1677723 user could get roles outside of what was assigned
+        # to them. This test verifies that this is no longer true.
+        # Authenticate once to create the projects
+        response = self._issue_unscoped_token()
+        self.assertValidMappedUser(response.json_body['token'])
+        unscoped_token = response.headers.get('X-Subject-Token')
+
+        # Assign admin role to newly-created project to another user
+        staging_project = self.resource_api.get_project_by_name(
+            'Staging', self.idp['domain_id']
+        )
+        admin = unit.new_user_ref(CONF.identity.default_domain_id)
+        self.identity_api.create_user(admin)
+        self.assignment_api.create_grant(self.role_admin['id'],
+                                         user_id=admin['id'],
+                                         project_id=staging_project['id'])
+
+        # Authenticate again with the federated user and verify roles
+        response = self._issue_unscoped_token()
+        self.assertValidMappedUser(response.json_body['token'])
+        unscoped_token = response.headers.get('X-Subject-Token')
+        scope = self._scope_request(
+            unscoped_token, 'project', staging_project['id']
+        )
+        response = self.v3_create_token(scope)
+        roles = response.json_body['token']['roles']
+        role_ids = [r['id'] for r in roles]
+        self.assertNotIn(self.role_admin['id'], role_ids)
+
 
 class JsonHomeTests(test_v3.RestfulTestCase, test_v3.JsonHomeTestMixin):
     JSON_HOME_DATA = {

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

13

News mentions

0

No linked articles in our index yet.