Nixpkgs security tracker
7.9 HIGH
- CVSS version: 3.1
- Attack vector (AV): NETWORK
- Attack complexity (AC): HIGH
- Privileges required (PR): HIGH
- User interaction (UI): NONE
- Scope (S): CHANGED
- Confidentiality impact (C): HIGH
- Integrity impact (I): HIGH
- Availability impact (A): LOW
by @LeSuisse Activity log
- Created suggestion
- @LeSuisse dismissed (not in Nixpkgs)
An issue was discovered in OpenStack Keystone 13 through 29. …
An issue was discovered in OpenStack Keystone 13 through 29. POST /v3/credentials did not validate that the caller-supplied project_id for an EC2-type credential matched the project of the authenticating application credential. This allowed an attacker holding an unrestricted application credential for project A to create an EC2 credential targeting project B; a subsequent /v3/ec2tokens exchange would then issue a Keystone token scoped to project B while still carrying the original app_cred_id, enabling cross-project lateral movement within the credential owner's role footprint.
References
Affected products
- =<29
Matching in nixpkgs
pkgs.keystone
Lightweight multi-platform, multi-architecture assembler framework
pkgs.rubyPackages.keystone-engine
None
pkgs.python312Packages.keystoneauth1
Authentication Library for OpenStack Identity
-
nixos-25.11 keystoneauth1-5.12.0
- nixos-25.11-small keystoneauth1-5.12.0
- nixpkgs-25.11-darwin keystoneauth1-5.12.0
pkgs.python313Packages.keystoneauth1
Authentication Library for OpenStack Identity
-
nixos-unstable keystoneauth1-5.13.1
- nixpkgs-unstable keystoneauth1-5.13.1
- nixos-unstable-small keystoneauth1-5.13.1
-
nixos-25.11 keystoneauth1-5.12.0
- nixos-25.11-small keystoneauth1-5.12.0
- nixpkgs-25.11-darwin keystoneauth1-5.12.0
pkgs.python314Packages.keystoneauth1
Authentication Library for OpenStack Identity
-
nixos-unstable keystoneauth1-5.13.1
- nixpkgs-unstable keystoneauth1-5.13.1
- nixos-unstable-small keystoneauth1-5.13.1
pkgs.rubyPackages_3_3.keystone-engine
None
pkgs.rubyPackages_3_4.keystone-engine
None
pkgs.rubyPackages_4_0.keystone-engine
None
pkgs.python312Packages.keystone-engine
Lightweight multi-platform, multi-architecture assembler framework
pkgs.python313Packages.keystone-engine
Lightweight multi-platform, multi-architecture assembler framework
pkgs.python314Packages.keystone-engine
Lightweight multi-platform, multi-architecture assembler framework
pkgs.python312Packages.python-keystoneclient
Client Library for OpenStack Identity
pkgs.python313Packages.python-keystoneclient
Client Library for OpenStack Identity
pkgs.python314Packages.python-keystoneclient
Client Library for OpenStack Identity
Package maintainers
-
@jollheef Mikhail Klementev <root@dumpstack.io>
-
@vinetos vinetos <contact+git@vinetos.fr>
-
@SuperSandro2000 Sandro Jäckel <sandro.jaeckel@gmail.com>
-
@anthonyroussel Anthony Roussel <anthony@roussel.dev>