CVE-2019-3683

EUVD-2019-13318
The keystone-json-assignment package in SUSE Openstack Cloud 8 before commit d7888c75505465490250c00cc0ef4bb1af662f9f every user listed in the /etc/keystone/user-project-map.json was assigned full "member" role access to every project. This allowed these users to access, modify, create and delete arbitrary resources, contrary to expectations.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
8.8 HIGH
NETWORK
LOW
LOW
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
suseCNA
8.8 HIGH
NETWORK
LOW
LOW
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Base Score
CVSS 3.x
EPSS Score
Percentile: 50%
Affected Products (NVD)
VendorProductVersion
suseopenstack_cloud
8.0
susekeystone-json-assignment
𝑥
< 2019-02-18
hphelion_openstack
8.0
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
https://bugzilla.suse.com/show_bug.cgi?id=1124864
https://www.suse.com/security/cve/CVE-2019-3683/
https://bugzilla.suse.com/show_bug.cgi?id=1124864