CVE-2019-3683

The keystone-json-assignment package in SUSE Openstack Cloud 8 before commit d7888c75505465490250c00cc0ef4bb1af662f9f every user listed in the /etc/keystone/user-project-map.json was assigned full "member" role access to every project. This allowed these users to access, modify, create and delete arbitrary resources, contrary to expectations.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
8.8 HIGH
NETWORK
LOW
LOW
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
suseCNA
8.8 HIGH
NETWORK
LOW
LOW
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CVEADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 50%
VendorProductVersion
suseopenstack_cloud
8.0
susekeystone-json-assignment
𝑥
< 2019-02-18
hphelion_openstack
8.0
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
https://bugzilla.suse.com/show_bug.cgi?id=1124864
https://www.suse.com/security/cve/CVE-2019-3683/
https://bugzilla.suse.com/show_bug.cgi?id=1124864