An issue was discovered in OpenStack keystonemiddleware 10.5 through 10.7 before 10.7.2, 10.8 and 10.9 before 10.9.1, and 10.10 through 10.12 before 10.12.1. The external_oauth2_token middleware fails to sanitize incoming authentication headers before processing OAuth 2.0 tokens. By sending forged identity headers such as X-Is-Admin-Project, X-Roles, or X-User-Id, an authenticated attacker may escalate privileges or impersonate other users. All deployments using the external_oauth2_token middleware are affected.
The external_oauth2_token middleware responsible for processing OAuth 2.0 tokens does not sanitize incoming HTTP headers before processing them (CWE-290 — Authentication Bypass by Spoofing). An attacker can submit crafted headers such as X-Is-Admin-Project, X-Roles, or X-User-Id, which are then accepted and processed by the middleware stack as trusted identity values. As a result, the system grants the attacker privileges resulting from the fake headers rather than from the user's actual identity.
An authenticated attacker can escalate their privileges (privilege escalation), including gaining administrative rights, or impersonate any other user in the OpenStack environment, leading to complete breach of confidentiality and integrity of cloud resources.
OpenStack keystonemiddleware should be updated to version 10.7.2, 10.9.1, or 10.12.1 depending on the branch in use. As a temporary workaround, consider disabling or blocking the use of the external_oauth2_token middleware until the patch is deployed. Details available at: https://launchpad.net/bugs/2129018
OpenStack keystonemiddleware in versions: 10.5 – 10.7 (before 10.7.2), 10.8 – 10.9 (before 10.9.1), and 10.10 – 10.12 (before 10.12.1). Affects only deployments using the external_oauth2_token middleware.
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:L